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Security  Tools  Tapped 
For  Compliance  Projects 

Users  link  devices  for  capturing  info  about 
IT  security  incidents  to  corporate  servers 


BY  JAIKUMAR  VIJAYAN 

Security  event  and  informa¬ 
tion  management  appliances 
that  were  originally  designed 
to  help  IT  managers  identify 
and  deal  with  network  threats 
are  now  finding  new  uses  as 
regulatory  compliance  report¬ 
ing  tools  within  a  growing 
number  of  companies. 

The  trend  is  being 
driven  by  the  ability  of 
such  products  to  cap¬ 
ture  and  correlate  the 
torrents  of  log  data  gen¬ 
erated  by  security  de¬ 
vices,  networking  equip¬ 
ment,  and  database  and 
application  servers,  IT 


managers  and  analysts  said 
last  week. 

“A  large  percentage  of  the 
customers  we’re  speaking 
with  originally  purchased 
these  tools  for  aggregating  and 
correlating  security  data,”  said 
Amrit  Williams,  an  analyst  at 
Gartner  Inc.  “Now  they’re 
telling  us  that  they’re  using 
[the  devices]  for  regu¬ 
latory  compliance.” 

For  example,  Calpine 
Corp.,  a  San  Jose-based 
power  producer,  pur¬ 
chased  a  security  event 
management  appliance 
from  Network  Intelli- 
Compliance,  page  14 


The  SEC  reduces 
the  IT  controls 
that  must  be 
tested  for  Sarb- 
Ox  compliance, 
but  the  news  isn’t 
all  good.  Page  5 
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EMC’s  Midrange  Disk  Arrays 
Cannibalize  Symmetrix  Sales 


BY  LUCAS  MEARIAN 

NEW  ORLEANS 

Sales  of  EMC  Corp.’s  Clariion 
midrange  storage  systems  are 
skyrocketing  —  but  the  com¬ 
pany  acknowledged  last  week 
that  some  of  the  growth  is 
coming  at  the  expense  of  the 
Symmetrix  arrays  that  were 
once  its  bread  and  butter. 
Users  at  the  EMC  Technolo¬ 


gy  Summit  here  said  the  ven¬ 
dor  continues  to  bolster  the 
Clariion  line  with  high-end 
functionality  once  reserved 
for  Symmetrix,  such  as  data 
mirroring,  snapshot  copying 
and  dynamic  provisioning. 

“They’ve  added  feature 
functionality  and  performance 
to  make  [Clariion]  what  the 

EMC,  page  12 


Sears  Ends  IT  Pact; 
CSC  Seeks  Payment 


Retailer  says  outsourcer  breached  contract; 
CSC  claims  that  Sears  schemed  to  avoid  fees 


BY  CAROL  SLIWA 

Sears,  Roebuck  and  Co.  end¬ 
ed  its  10-year,  $1.6  billion  IT 
outsourcing  agreement  with 
Computer  Sciences  Corp.  af¬ 
ter  just  11  months.  But  the 
companies  now  face  arbitra¬ 
tion  on  a  prickly  dispute  over 
the  grounds  of  the  cancella¬ 
tion  and  whether  Sears  has  to 
pay  termination  fees  to  CSC. 

At  stake,  according  to  mo¬ 
tions  that  CSC  filed  April  25 


with  the  U.S.  Court  of  Ap¬ 
peals  in  Chicago,  is  roughly 
$96  million  in  termination 
fees.  CSC  claims  that  is  the 
amount  Sears  should  have  to 
pay  to  end  the  contract. 

Sears  said  in  a  May  11  filing 
with  the  U.S.  Securities  and 
Exchange  Commission  that  it 
had  cause  to  pull  out  of  the 
contract,  citing  CSC’s  “failure 
to  perform  certain  of  its 
obligations.”  The  retailer 


added  that  it  expects  to  incur 
no  “material”  penalties  as  a 
result  of  the  termination. 

But  in  its  own  SEC  filing 
last  week,  CSC  countered  that 
Sears’  attempt  to  end  the  con¬ 
tract  for  cause  was  “contrived 
to  avoid  or  reduce”  the  termi¬ 
nation  fees  that  the  outsourc¬ 
ing  vendor  says  it  is  owed. 

Sears-CSC,  page  55 


MORE  ONLINE 

CSC  tried  to  get  all  court  records  re¬ 
lated  to  its  case  against  Sears  sealed: 

O  QuickLink  54535 


The  looming  increase  in  job  turnover  and  retirements  means  that  succession 
planning  for  key  IT  players  is  now  a  necessity,  reports  Thomas  Hoffman.  Page  39 
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■TCHPWMHB  IBM  WebSphere  middleware  is  the  easy,  affordable  way  to  integrate  a  multitude  of  applications.  In  fact,  you  can  CONNECT  ANY 
APPLICATION  ON  ANY  PLATFORM  WITH  OPEN  STANDARDS-BASED  IBM  MIDDLEWARE.  Only  IBM  has  years  of  proven 
trusted  experience  helping  customers  build  composite  applications.  The  open  standards  answer  to  complex  application,  platform  and  IT  infrastructure 
combinations,  IBM  WebSphere  lets  you  re-use  your  existing  IT  investments.  Imagine  increasing  efficiencies  and  making  your  business  more  flexible. 

SEE  HOW  AT  IBM.COM/MIDDLEWARE/CONNECT 


WebSphere 


pgjarn  IBM  Tivoli  IT  Service  Management  can  streamline  your  IT  operations.  It's  THE  MOST  COMPLETE  END-TO-END  MIDDLEWARE  SOLUTION  THAT 
imUll  DELIVERS  TIGHT  INTEGRATION  between  technology,  processes  and  people,  while  boosting  the  availability  and  efficiency  of  your  IT  services.  Its  automation 
tools  can  help  minimize  time  and  labor  costs,  while  modular  construction  means  it’s  a  solution  that  can  grow  easily  with  your  business. 

DISCOVER  A  BETTER  WAY  TO  MANAGE  THE  BUSINESS  OF  IT  AT  IBM.COM/MIDDLEWARE/MGMT 


IBM  I  he  IBM  logo  and  Tivoli  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries  2005  IBM  Corporation  All  rights  reserved 
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IBM  MIDDLEWARE  HELPS  YOU  ALIGN  YOUR  IT  WITH  BUSINESS  GOALS  TO  DRIVE  GROWTH.  Finally,  there’s  an  integrated 
1  M  V  ;  t  'M  approach  to  application  development,  deployment  and  management.  Now  you  can  leverage  the  combined  power  and  breadth  of 
IBM  Rational  and  Tivoli®  to  far  exceed  the  limited  testing  and  mere  monitoring  that  others  offer.  Market-leading  middleware,  like  IBM  Rational  Portfolio  Manager 
and  the  newly  integrated  IBM  Rational  Performance  Tester  and  Tivoli  Monitoring  for  Transaction  Performance,  helps  you  manage  every  aspect  of  the  IT  lifecycle 
Go  beyond  cost  efficiencies.  Innovate.  Drive  business  growth.  VISIT  IBM.COM/MIDDLEWARE/LIFECYCLE 
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YOU 

VS 

THE  25-HOUR  DAY 


IBM  MIDDLEWARE  HAS  AN  EASIER,  BETTER  WAY  TO  DO  BUSINESS.  IBM®  Workplace™  solutions.  Everything  you  need  to  stay 
on  top  of  your  business  is  in  one  easy-to-use  environment.  It’s  a  breeze  to  use  because  it’s  based  on  your  role.  Work  more  effectively. 


TO  LEARN  MORE,  VISIT  IBM.COM/MIDDLEWARE/PRODUCTIViTY 


IBM  Workplace 


IBM,  the  IBM  logo  and  Workplace  are  registered  trademarks  of  trademarks -Of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  cour 
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FRAYED  CONTENT, 
FRAYED  SOLUTIONS 
AND  VERY 
FRAYED  NERVES 


Digital  audio.  Video.  Records.  Documents.  Whatever  form  your  information  takes,  IBM  HAS  AN  INFORMATION  MANAGEMENT 

ill# Lllkilll  SOLUTION  THAT  CAN  BE  TAILORED  SPECIFICALLY  FOR  YOU.  Based  on  open  standards,  IBM  Content  Management 
middleware,  part  of  the  IBM  Information  Management  family,  allows  content  to  work  together  seamlessly,  so  employees  can  quickly  get  the  right  information  at 
the  right  time.  Affordable  to  acquire  and  to  manage,  its  modular  construction  means  a  solution  that  can  grow  easily  with  your  business.  Discover  what  else  IBM  Content 

Management  can  do  for  you.  uicitidm  rnM/Minm  cumdc/phutcut 


Content  Management 
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Raise  the  Bar 

In  the  Management  section:  Good  ven¬ 
dor  relationships  —  and  superior  service 
—  don’t  happen  by  accident.  Here’s  how 
our  Premier  100  IT  leaders  get  vendors  to 
notch  up  their  performance.  Page  42 
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Pick  Your  Battles 

In  the  Technology  section:  Vulnera¬ 
bility  management  allows  users  to 
prioritize  threats  and  assets  by  creat¬ 
ing  a  security  plan  that  goes  beyond 
emergency  response.  Page  21 
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4  Single  sign-on  specs  created 
by  Microsoft  and  Sun  may  help 
users  in  the  future.  But  some 
need  the  technology  now. 

5  The  SEC  issues  new  Sarbanes- 
Oxley  guidelines  that  reduce 
the  number  of  IT  controls 
companies  must  assess. 

5  Pfizer  intends  to  consolidate 
more  than  30  document  man¬ 
agement  systems  and  stan¬ 
dardize  on  XML  to  meet  fed¬ 
eral  regulations. 

8  IBM  plans  to  release  a  data¬ 
base  for  configuration  man¬ 
agement,  but  other  vendors 
claim  it’s  not  the  first  to  take  a 
federated  approach. 

8  Cybersecurity  standards  pro¬ 
posed  for  the  utility  industry 
are  flawed,  say  conference 
attendees. 

10  SAP  announces  that  10  tech¬ 
nology  providers  have  licensed 
its  its  ESA  middleware. 

10  Bank  insiders  were  involved 
in  a  massive  theft  of  account 
data  over  four  years,  New  Jer¬ 
sey  police  allege. 

12  Global  Dispatches:  Fujitsu 
plans  to  offer  its  palm-reading 
biometric  system  outside 
Japan;  and  Sabre  agrees  to  buy 
a  U.K.  online  travel  agency. 

14  EMC  will  ship  its  storage  vir¬ 
tualization  technology  late, 
but  users  are  willing  to  wait. 

55  EDS  sues  a  North  Carolina 
health  agency  after  it  awards 
a  contract  to  a  rival  vendor. 


24  Rounding  Up  Business  Rules. 

Business  rules  engines  and 
management  systems  auto¬ 
mate  enforcement  of  the  rules 
and  policies  that  make  key 
processes  run  smoothly. 

30  Security  Manager’s  Journal: 
Protecting  Consumer  Data 
on  the  Cheap.  A  mandate  to 
protect  personal  data  in  the 
state  agency’s  databases  isn’t 
accompanied  by  extra  funds, 
so  C.J.  Kelly  has  to  come  up 
with  an  inexpensive  strategy. 

34  Future  Watch:  Coming:  Sen¬ 
sors  and  Pixels  Everywhere. 

Accenture  global  director  of 
research  Anatole  Gershman 
discusses  work  on  intelli¬ 
gence  technologies  that  are 
aimed  at  connecting  IT  sys¬ 
tems  with  the  physical  world. 

MANAGEMENT 

39  Grooming  the  Next  Genera¬ 
tion.  The  impending  exodus 
of  baby  boomers  and  the 
dearth  of  computer  science 
graduates  appear  more  trou¬ 
blesome  now  that  the  econo¬ 
my  is  picking  up  and  IT 
staffers  are  starting  to  look 
around  for  greener  pastures. 

If  there  was  ever  a  time  to  get 
serious  about  succession 
planning,  it’s  now. 

48  Career  Watch.  FedEx’s  Sherry 
Aaholm  answers  readers’  ques¬ 
tions  about  jobs  and  careers. 
Also,  we  look  at  ways  to  hang 
on  to  your  company’s  “deep 
smarts,”  top  workforce-build¬ 
ing  challenges  and  the  good 
and  bad  news  about  CIOs. 


6  On  the  Mark:  Mark  Hall  re¬ 
ports  that  one  offshoring  ven¬ 
dor  is  saying  that  pay  increas¬ 
es  in  India  aren’t  going  to 
make  doing  work  there  more 
expensive  for  U.S.  companies. 

16  Don  Tennant  found  someone 
else’s  canceled  checks  in  his 
bank  statement,  so  he  took  a 
look  at  the  systems  that  al¬ 
lowed  such  a  privacy  breach. 

16  Virginia  Robbins  loves  that 
feeling  when  everything  final¬ 
ly  comes  together  and  a  proj¬ 
ect  is  successful  on  all  fronts. 

17  David  Moschella  thinks  a  new 
platform  is  emerging  at  the 
very  front  of  the  corporation. 
Will  IT  play  a  role? 

36  Jian  Zhen  helps  IT  managers 
weigh  the  costs  and  benefits 
of  buying  software  versus 
appliances. 

50  Paul  M.  Ingevaldson,  retired 
Ace  Hardware  CIO,  makes 
the  case  for  the  CIO  to  report 
directly  to  the  CEO.  Pass  it 
along. 

56  Frankly  Speaking:  Frank 
Hayes  laments  what  the 
Sarbanes-Oxley  Act  is  doing 
to  trust  within  businesses,  but 
he  sees  a  ray  of  hope  in  new 
SEC  guidelines. 
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Sober-ing  Reminder 

SECURITY;  The  release  of  two  variants  of 
the  Sober  worm  prompts  columnist  Douglas 
Schweitzer  to  reiterate  the  importance 
of  training  employees  to  practice  safe 
computing.  O  QuickLink  54239 

Where  Have  All  the  Experts  Gone? 

DEVELOPMENT:  Offshoring  and  layoffs  may 
look  good  for  the  bottom  line  at  first,  colum¬ 
nist  Linda  Hayes  says,  but  the  loss  of  in- 
house  experience  can  come  back  to  haunt 
you.  ©  QuickLink  54208 

Managing  Global  CRM 

PRIVACY:  Rolling  out  CRM  internationally? 
Columnist  Jay  Cline  says  you’ll  need  to  con¬ 
sider  the  differing  needs  of  the  world’s  priva¬ 
cy  “fundamentalists”  and  “pragmatists.” 

©  QuickLink  54420 


Is  There  Really  a 
Glass  Ceiling  for  CIOs? 

CAREERS:  By  taking  steps  to  become  more 
confident  and  action-focused,  CIOs  can  be¬ 
come  successful  CEOs,  says  Korn/Ferry’s 
Simon  Wiggins.  ©  QuickLink  54265 

Health  Care  Hurdles 

STORAGE  WEBCAST:  John  D.  Halamka,  CIO  at 
both  CareGroup  Health  System  and  Harvard 
Medical  School,  oversees  the  IT  infrastruc¬ 
ture  for  3,000  doctors  who  move  70TB  of 
data  a  day.  He  discusses  how  he  keeps  his 
users  happy  in  this  free  on-demand  webcast. 
©  QuickLink  a5870 


What’s  a  QuickLink? 


O  Throughout  each  issue  of 
Computerworld,  you'll 
see  five-digit  QuickLink  codes 
pointing  to  related  content  on 
our  Web  site.  Also,  at  the  end  of 
each  story,  a  QuickLink  to  that 
story  online  facilitates  sharing  it 
with  colleagues.  Just  enter  any 
of  those  codes  into  the  Quick¬ 
Link  box.  which  is  at  the  top  of 
every  page  on  our  site. 
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Texas  County  Sues 
SAP  and  Siemens 

Collin  County,  Texas,  filed  a  law¬ 
suit  against  units  of  SAP  AG  and 
Siemens  AG,  charging  fraud, 
breach  of  contract  and  negligent 
misrepresentation.  The  county  is 
seeking  almost  $16  million  in 
damages.  The  suit  was  filed  after 
the  companies  failed  to  complete 
work  on  an  ERP  system  slated  to 
be  finished  in  October.  SAP  and 
Siemens  have  filed  motions  to 
dismiss  the  lawsuit. 


Waitt  Resigns  as 
Gateway  Chairman 

Gateway  Inc.  founder  and  Chair¬ 
man  Ted  Waitt  has  resigned  from 
the  PC  company,  passing  his  ba¬ 
ton  to  longtime  board  member 
Richard  Snyder.  Waitt,  Gateway’s 
chairman  for  20  years,  said  he  is 
leaving  to  concentrate  on  his  oth¬ 
er  businesses  and  to  do  philan¬ 
thropic  work.  Snyder  has  been  a 
director  at  the  Irvine,  Calif.-based 
company  since  1991  and  was 
president  and  chief  operating 
officer  in  the  mid-1990s. 


Broadcom  Brings 
Suit  on  Qualcomm 

Communications  chip  vendor 
Broadcom  Corp.  has  sued  Qual¬ 
comm  Inc.,  seeking  to  halt  the 
manufacture  and  sale  of  key  Qual¬ 
comm  chips.  Two  suits,  filed  in 
the  U.S.  District  Court  in  Califor¬ 
nia,  allege  that  Qualcomm  has 
infringed  a  total  of  10  Broadcom 
patents.  Broadcom  has  also  filed 
a  complaint  with  the  International 
Trade  Commission. 


Google  Updates 
Desktop  Search 

Google  Inc.  has  released  a  desk¬ 
top  search  tool  tailored  for  the 
workplace.  The  new  tool,  called 
Google  Desktop  Search  for  the 
Enterprise,  has  a  series  of  instal¬ 
lation,  distribution,  management 
and  security  features  for  IT  de¬ 
partments  to  use  when  rolling  out 
and  configuring  the  product. 
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Faces  User  Scrutiny 


Microsoft,  Sun  to 
propose  technical 
specs  as  a  standard 

BY  PATRICK  THIBODEAU 

The  single  sign-on 
specifications  that 
Microsoft  Corp.  and 
Sun  Microsystems 
Inc.  announced  this  month 
won’t  help  John  Wade,  CIO  at 
Saint  Luke’s  Health  System,  a 
10-hospital  health  care  group 
in  Kansas  City,  Mo. 

That’s  partly  because  most 
of  the  systems  at  Saint  Luke’s 
are  from  Hewlett-Packard  Co. 
But  Wade  said  he  just  can’t 
wait  for  IT  vendors  to  solve 
the  single  sign-on  problem. 

His  end  users  see  the  lack  of 
that  capability  as  their  major 
systems  headache,  he  said. 

As  a  result,  Wade  expects  to 
spend  $100,000  to  $500,000  of 
his  $23  million  IT  budget  to 
add  single  sign-on  functionali¬ 
ty  by  early  next  year.  The  ef¬ 
fort  could  involve  the  creation 
of  custom  interfaces. 

“I  don’t  think  any  of  the 
vendors  have  a  real  simplified 
directory  management  proc¬ 
ess,”  he  said.  “It’s  an  industry¬ 
wide  problem.” 

Sun  and  Microsoft  agreed  to 
two  sets  of  specifications  al¬ 
lowing  single  sign-on  for  users 
of  systems  running  Solaris  and 
Windows  [QuickLink  54419]. 
The  announcement  came  at 
the  one-year  anniversary  of  an 
agreement  by  the  two  compa¬ 
nies  to  settle  a  long-running 
legal  dispute  and  cooperate  on 
integrating  their  products. 

Microsoft  and  Sun  have  re¬ 
leased  draft  specifications. 
They  will  be  submitted  to  an 
as-yet-unnamed  standards 
body  and  will  face  scrutiny 
from  rival  vendors  as  well  as 
users.  Even  Microsoft  and  Sun 
users  won’t  see  products  with 
capabilities  built  around  the 
proposed  single  sign-on  speci¬ 
fications  until  next  year. 

The  access-control  and  sin¬ 
gle  sign-on  products  now  on 


the  market  have  largely  been 
developed  to  work  in  single 
operating  environments,  said 
Lynn  Goodendorf,  vice  presi¬ 
dent  of  information  privacy 
protection  at  Windsor,  Eng- 
land-based  InterContinental 
Hotels  Group  PLC,  which  op¬ 
erates  3,500  hotels  worldwide. 

“The  goal  of  most  users  is 
we  want  to  have  one  solution 
that  would  work  in  all  our  dif¬ 
ferent  environments  and  oper¬ 
ating  systems,  and  not  have 
multiple  tools  to  do  that,” 
Goodendorf  said.  She  noted 
that  InterContinental  has  a 
single  sign-on  system  for  its 
Web-based  applications  but 
not  for  its  mainframes. 

Goodendorf  said  the  Sun- 
Microsoft  agreement  was  “a 
positive  development  for  pri¬ 
vacy”  because  single  sign-on 


is  closely  coupled  with  im¬ 
proved  data  access  controls. 

But  it’s  unclear  whether  the 
specifications  will  be  support¬ 
ed  as  standards  by  other  ven¬ 
dors.  For  example,  the  Liberty 
Alliance,  which  includes  Sun 
and  is  one  of  the  major  vendor 
groups  working  on  identity 
management  issues,  character¬ 
ized  the  Microsoft-Sun  speci¬ 
fications  as  a  step,  not  a  solu¬ 
tion. 

Not  ‘Truly’  Interoperable 

Sai  Allavarpu,  director  of 
product  management  and 
marketing  at  HP,  said  Sun  and 
Microsoft  have  no  plan  for  in¬ 
volving  users  or  other  vendors 
in  finalizing  the  specifications. 

“So  it  doesn’t  appear  to  be  a 
truly  interoperable  solution,” 
he  said.  “It  just  appears  to  be 


interoperability  between  two 
implementations.” 

But  Sun  and  Microsoft  said 
that  the  standards-approval 
process  will  involve  other  ven¬ 
dors.  And  they  argued  that  the 
specifications  are  applicable 
for  any  system  that  uses  either 
the  Liberty  Alliance’s  proto¬ 
cols  or  the  Web  Services  Fed¬ 
eration  specification,  which 
was  developed  by  Microsoft 
and  vendors  such  as  IBM  and 
BEA  Systems  Inc. 

IT  managers  have  said  that 
they  welcome  the  prospect 
of  single  sign-on  and  that  it 
could  help  reduce  costs,  but 
that  there  are  risks  as  well. 

“As  nice  as  it  is  to  think  that 
one  username  and  password 
will  gain  you  access  to  all  of 
your  systems,  it  also  means 
that  the  employees  need  to  be 
overly  protective  of  their  log¬ 
in  codes,”  said  Brian  Young, 
vice  president  of  IT  at  Creigh¬ 
ton  University  in  Omaha.  “Sin¬ 
gle  sign-on  gives  everyone  a 
master  key  to  their  house.” 
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ID  Management  Ties  Are  GM’s  Top  Priority 


GENERAL  MOTORS  CORP.  has 

played  a  key  role  in  getting  Sun 
and  Microsoft  to  cooperate  on 
cross-platform  identity  manage¬ 
ment.  Fred  Killeen,  director  of 
systems  development  and  chief 
technology  officer  for  GM’s  in¬ 
formation  systems  and 
services  organization, 
said  in  an  interview  last 
week  that  single  sign- 
on  capability  is  the  auto¬ 
maker’s  top  priority  for 
the  two  vendors. 

To  what  degree  have 
your  users  been  frus¬ 
trated  by  the  lack  of 
interoperability  between 
Microsoft  and  Sun  prod¬ 
ucts?  Clearly,  as  users,  we 
would  like  to  have  our  life  simpli¬ 
fied  -  we  would  like  to  have  few¬ 
er  IDs  and  fewer  passwords. 
From  a  GM  perspective,  we  real¬ 
ly  view  it  as  a  security  compo¬ 
nent  as  well,  because  the  more 
IDs  and  passwords  you  have, 
users  tend  to  write  them  down, 
and  they  tend  to  put  them  in 


places  which  actually  make  you 
less  secure  than  more  secure. 

In  terms  of  identity  man¬ 
agement,  what  impact  will 
the  capabilities  that  Micro¬ 
soft  and  Sun  are  promising 
have  on  your  costs?  I 
don’t  think  we  know 
enough  yet.  Certainly, 
there  are  lots  of  esti¬ 
mates  on  percentages 
of  calls  to  your  help  desk 
for  password  resets.  This 
isn’t  going  to  make  all  of 
them  go  away,  because 
you  still  have  lots  of  other 
applications  out  there. 
But  it  can  certainly  reduce  them. 

We  [also]  believe  it  can  help 
reduce  some  of  the  access  man¬ 
agement  requirements.  It  would 
integrate  the  identities  there. 

If  we  were  going  to  integrate 
as  is,  because  we’re  in  an  out¬ 
sourced  environment,  we  would 
pay  a  supplier  to  develop  these 
interfaces,  maintain  them  over 
time  and  refresh  them  every 
time  these  suppliers  upgrade 


their  products. 

Sun  and  Microsoft  also 
want  to  improve  their  man¬ 
agement  capabilities  and 
make  it  easier  to  write  ap¬ 
plications  that  run  in  both 
environments.  What  do  you 
want  to  see  the  companies 
accomplish  next?  I  think 
they're  not  done  with  identity 
management.  We  need  to  con¬ 
tinue  to  drive  this  [and]  look  at 
the  integration  issues  and  how 
you  pull  these  two  environments 
together. 

Down  the  road,  the  other 
technologies  that  they  have 
talked  about  are  great  opportuni¬ 
ties.  But  at  least  for  right  now, 
this  is  the  one  that  we  highlight¬ 
ed,  and  we  want  to  make  sure 
that  we  drive  this  one  to  closure. 

-Patrick  Thibodeau 

READ  MORE  ONUNE 

Go  to  our  Web  site  for  an  extended 
version  of  this  interview: 
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SEC  Offers  Limited 
Sarb-Ox  Relief  to  IT 


Feedback  leads  to 
modifications  in 
assessing  controls 

BY  THOMAS  HOFFMAN 

The  U.S.  Securities  and  Ex¬ 
change  Commission  last  week 
issued  new  Sarbanes-Oxley 
Act  compliance  guidelines 
that  should  provide  IT  depart¬ 
ments  at  publicly  held  compa¬ 
nies  with  some  relief  by  re¬ 
ducing  the  number  of  IT  con¬ 
trols  that  must  be  assessed 
each  year. 

However,  the  SEC  will  con¬ 
tinue  to  require  that  compa¬ 
nies  assess  the  controls  that 
are  in  place  for  any  new  sys¬ 
tems  or  software  upgrades  — 
particularly  those  that  affect 


financial  reporting  —  despite 
feedback  from  auditors  and  IT 
that  such  rules  can  be  stifling. 

For  instance,  the  SEC  denied 
requests  that  it  exclude  new 
systems  and  upgrades  installed 
late  in  a  fiscal  year  from  year- 
end  testing  requirements. 
According  to  the  guidelines, 
“management  can  plan,  design 
and  perform  preliminary  as¬ 
sessments  of  internal  controls 
in  advance  of  system  imple¬ 
mentations  or  upgrades.” 

That  means  companies 
must  conduct  risk  assess¬ 
ments  on  the  systems  during 
the  planning  stages  “and  focus 
on  the  high-risk  areas,”  said 
Carter  Priess,  CEO  of  Pace  So¬ 
lutions  Inc.,  an  IT  audit  con¬ 
sultancy  in  Danvers,  Ill. 


The  SEC  guidelines  are 
aimed  at  allowing  auditors  to 
reduce  the  number  of  checks 
they  conduct  on  internal  con¬ 
trols  under  Section  404  of  the 
law.  Some  analysts  say  the 
changes  suggest  that  the  origi¬ 
nal  requirements  may  indeed 
have  been  excessive. 

Implications  Unclear 

Todd  Naughton,  vice  presi¬ 
dent  and  controller  at  Zebra 
Technologies  Corp.,  a  high- 
tech  printing  vendor  in  Ver¬ 
non  Hills,  Ill.,  said  he  will  need 
a  few  weeks  to  review  the 
SEC’s  guidance  with  IT  and 
external  auditors  to  determine 
its  implications. 

Still,  Naughton  said  he’s 
“guardedly  optimistic”  that 
the  SEC’s  latest  guidance  “will 
offer  relief  to  our  IT  staff.” 

In  the  statement  last  week, 
the  SEC  said  that  it  will  no 
longer  require  an  assessment 
of  all  IT  controls,  only  those 
that  affect  the  financial  report- 


SEC  Statement 


HThe  staff  does  not 
believe  it  neces¬ 
sary  for  purposes 
of  Section  404  for  manage¬ 
ment  to  assess  all  general  IT 
controls,  and  especially  not 
those  that  primarily  pertain  to 
the  efficiency  or  effective¬ 
ness  of  the  operations  of  the 
organization  but  are  not  rele¬ 
vant  to  financial  reporting. 


—  From  the  SEC’s  “Staff  State¬ 
ment  on  Management's  Report 
on  Internal  Control  Over  Finan¬ 
cial  Reporting" 


ing  of  an  organization. 

Many  IT  managers  had  pre¬ 
viously  complained  about  the 
lack  of  clarity  in  terms  of  the 
IT  controls  that  had  to  be  as¬ 
sessed,  said  John  Hagerty,  an 
analyst  at  Boston-based  AMR 
Research  Inc. 

By  narrowing  the  scope  of 
the  IT  controls  that  need  to  be 


annually  reviewed,  the  SEC 
guidance  “should  lower  the 
burden  on  IT,”  Priess  said. 

The  SEC’s  new  recommen¬ 
dation  that  IT  departments 
conduct  risk  assessments  on 
general  IT  controls  such  as 
those  around  information  se¬ 
curity  may  have  introduced  a 
new  “level  of  ambiguity,”  said 
Sanjay  Anand,  chairman  of  the 
Sarbanes-Oxley  Group  of  Au¬ 
ditors  and  Professionals,  an 
online  community  of  Sar¬ 
banes-Oxley  practitioners 
based  in  Clifton,  N.J. 

“The  approach  has  shifted 
from  ‘test  all  controls’  to  ‘a 
risk-based  approach  to  choos¬ 
ing  which  controls  to  review,’  ” 
said  Anand. 

All  in  all,  said  Hagerty,  the 
result  will  depend  heavily  on 
how  auditors  interpret  the 
guidelines.  ©  54533 


MORE  ON  SARB-OX 

Columnist  Frank  Hayes  gives  his  take  on 
the  guidelines.  Page  56 


Rules  Prompt  Pfizer  to  Consolidate 
Content  Management  Systems 


Project  to  convert 
Word  documents 
to  XML  also  on  tap 

BY  HEATHER  HAVENSTEIN 

Pfizer  Inc.  is  embarking  on 
an  effort  to  consolidate  more 
than  30  document  manage¬ 
ment  systems  in  order  to 
streamline  regulatory  sub¬ 
missions. 

At  the  same  time,  the  New 
York-based  drug  giant  has 
started  an  effort  to  standardize 
on  XML  for  authoring  to  meet 
new  federal  regulations. 

The  projects  stem  from  the 
challenges  associated  with 
meeting  new  submission  re¬ 
quirements  from  the  U.S.  Food 
and  Drug  Administration  and 
other  agencies,  said  Christo¬ 
pher  Lee,  director  of  world¬ 
wide  regulatory  operations 
at  Pfizer. 

A  consolidated  content 
management  system  will  allow 
the  company  to  meet  these 
evolving  submission  require¬ 


ments  without  having  to  de¬ 
ploy  tactical  point  solutions  or 
revise  content  multiple  times, 
Lee  said. 

Pfizer  plans  to  build  the 
content  repository  by  using 
technology  from  the  Docu- 
mentum  Inc.  unit  of  Hopkin- 
ton,  Mass.-based  EMC  Corp. 

The  content  management 
system  consolidation  will  span 
operations  in  26  countries  and 
different  corporate  groups 
such  as  research  and  market¬ 
ing  to  create  one  seamless 
flow  of  information  to  support 
regulatory  submissions,  ac¬ 
cording  to  Lee. 

The  company  is  also  defin¬ 
ing  “authoritative  sources”  of 
content  so  information  about 
a  single  subject  —  such  as  a 
drug  compound  —  can  be  lim¬ 
ited  to  one  location. 

Consolidating  content  man¬ 
agement  systems  will  likely 
allow  Pfizer  to  more  easily  in¬ 
tegrate  content  needed  for 
regulatory  submissions  that 
may  now  be  created  on  dis¬ 


parate  systems,  said  Nathaniel 
Palmer,  an  analyst  at  Delphi 
Group  in  Boston. 

“It  will  be  a  huge  effort . . . 
if  they’re  able  to  do  it  success¬ 
fully,  the  advantages  would  be 
tremendous  around  the  life 
cycle  of  information  and  being 
able  to  trace  back  to  the  ori¬ 
gins  of  that  information,” 
Palmer  said. 

At  the  same  time,  Pfizer 


plans  to  convert  all  of  its  regu¬ 
latory  submission-related  con¬ 
tent  from  Word  to  XML. 

Beginning  in  October,  the 
FDA  will  require  that  pharma¬ 
ceutical  companies  submit 
changes  to  product  labeling  in 
an  XML  format.  Most  pharma¬ 
ceutical  companies,  including 
Pfizer,  now  deliver  these 
changes  in  Word  documents. 

Pfizer  will  decide  in  the 
next  30  days  whether  to  use 
an  outside  vendor  to  convert 
existing  documents  to  XML 
or  build  in-house  tools  to  do 
the  job. 

The  company  plans  to 


CONSOLIDATING  PFIZER’S  content  management  systems  should  improve 
the  work  done  in  its  laboratories,  the  pharmaceutical  company  says. 


create  documents  directly 
in  XML  by  using  tools  from 
Arbortext  Inc.  in  Ann  Arbor, 
Mich.,  Lee  said. 

In  parallel,  the  company  is 
building  a  common  template 
that  can  help  in  the  process  of 
converting  Word  documents 
to  XML. 

“From  a  business  stand¬ 
point,  Word  right  now  intro¬ 
duces  the  opportunity  for 
variability,”  which  hinders  ef¬ 
forts  to  standardize  company 
documents,  Lee  said. 

In  addition,  an  XML-based 
authoring  system  will  allow 
the  people  writing  the  content 
—  often  physicians  —  to  focus 
solely  on  content  without  hav¬ 
ing  to  worry  about  structure 
of  the  document,  he  said. 

However,  Palmer  noted  that 
there  will  be  cultural  chal¬ 
lenges  associated  with  migrat¬ 
ing  authoring  to  XML.  “You 
have  fiefdoms  . . .  that  aren’t 
going  to  easily  change,”  he 
said.  ©  54532 


MORE  ONLINE 


Attendees  at  the  AIIM  show  say  they're 
looking  for  ways  to  better  manage  content 
and  make  It  easier  for  users  to  access: 
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Brocade  to  Restate 
2001-04  Results 


Data  storage  equipment  maker 
Brocade  Communications  Sys¬ 
tems  Inc.  said  that  it  overstated  its 
earnings  by  as  much  as  $52  mil¬ 
lion  from  2001  through  2004  be¬ 
cause  of  improper  accounting  of 
its  stock-option  expenses.  San 
Jose-based  Brocade  also  dis¬ 
closed  that  it  is  cooperating  with 
a  joint  investigation  of  its  stock- 
option  practice  by  the  U.S.  De¬ 
partment  of  Justice  and  the  Secu¬ 
rities  and  Exchange  Commission. 


HP  Results  Beat 
Expectations 

Led  by  strong  revenue  growth 
outside  of  the  U.S.,  Hewlett- 
Packard  Co.  reported  that  its  sec¬ 
ond-quarter  revenue  grew  7% 
from  the  year-earlier  period, 
slightly  ahead  of  Wall  Street’s 
expectations. 


HP  BY  THE  NUMBERS 

REVENUE 

■  PROFIT  ■ 

Q2’05 

S21.57B 

S966M 

Q2’04 

S20.11B 

S884M 

PalmOne  Names 
Colligan  CEO 

Handheld  device  maker  PalmOne 
Inc.  has  named  Ed  Colligan  presi¬ 
dent  and  CEO.  He  had  been  serv¬ 
ing  as  interim  CEO  since  former 
head  Todd  Bradley  left  in  Febru¬ 
ary.  Colligan  has  been  charged 
with  regaining  PalmOne's  dwin¬ 
dling  share  of  an  overall  declining 
handheld  market  from  companies 
such  as  HP. 

‘WlMOHBNaPMHnMMHnMM 

Microsoft  Adds 
Hosting  Tools 

Microsoft  Corp.  has  unveiled  new 
tools  to  help  hosting  service  pro¬ 
viders  integrate  Windows-based 
applications  into  their  sites  and 
improve  site  management.  The 
Windows-based  Hosting  Version 
3.5  is  aimed  at  providers  that  of¬ 
fer  shared  Web  hosting  or  dis¬ 
count  dedicated  server  hosting. 
The  tool  includes  support  for 
Microsoft  Operations  Manager. 
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HOT  TECHNOLOGY  TRENDS,  NEW  PRODUCT 
NEWS  AND  INDUSTRY  BUZZ  BY  MARK  HALL 


. . .  the  cost  of  IT  work  heading  to  India.  So  claims  Marc 
Hebert,  executive  vice  president  of  marketing  at 
Sierra  Atlantic  Inc.,  an  offshore  outsourcer  in  Fre¬ 
mont,  Calif.  Despite  annual  wage  increases  of  15%  to 
20%  for  IT  staffers  in  India,  the  cost  of  technology 


operations  there 
won’t  edge  upward, 

Hebert  argues.  He 
says  that  those  pay 
increases  are  being 
compensated  for  by 
better  productivity 
from  India-based  IT 
workers,  with  the 
subcontinent’s  im¬ 
proved  technology 
infrastructure  con¬ 
tributing  to  the  productivity 
boost.  Hebert  adds  that  In¬ 
dia’s  universities  today  pro¬ 
duce  four  engineers  for  every 
one  graduating  from  a  U.S. 
school  —  a  ratio  that  he  pre¬ 
dicts  will  reach  10-1  by  2015. 
The  prevalence  of  graduates 
in  India  means  that  Sierra  At¬ 
lantic  can  hire  well-trained 
entry-level  programmers  and 
IT  administrators,  which 
helps  keep  its  costs  down, 
Hebert  says.  To  keep  up  with 
demand,  Sierra  Atlantic 
added  400  jobs  last  year,  in¬ 
creasing  its  total  workforce  to 
about  900  employees.  About 
50  of  those  new  jobs  were  in 
the  U.S.  Hebert  claims  that 
during  the  last  presidential 


election,  the  opposi¬ 
tion  to  offshoring 
voiced  by  many  De¬ 
mocrats  backfired 
and  gave  the  practice 
some  “good  PR.”  Simi¬ 
larly,  he  suggests  that 
television  commenta¬ 
tor  Lou  Dobbs,  who 
regularly  criticizes  off¬ 
shoring  on  his  show, 
“does  more  to  help 
the  industry  than  anybody.” 
The  offshore  phenomenon  is 
spreading,  Hebert  says,  noting 
that  some  companies  in  Cana¬ 
da  —  which  itself  is  consid¬ 
ered  a  “nearshore”  alternative 
for  U.S.  businesses  —  have 
begun  moving  IT  jobs  to  India 
through  Sierra  Atlantic. 

Trust  your  PC 
to  protect  your . . . 

. . .  network.  No,  not  Win¬ 
dows,  but  the  PC  hardware  it¬ 
self.  In  March,  Dell  Inc.  be¬ 
came  the  last  of  the  major  PC 
makers  to  begin  shipping  sys¬ 
tems  with  Trusted  Platform 
Module  (TPM)  security  de¬ 
vices,  which  are  based  on 
specifications  developed 


HEBERT: 

India’s  produc¬ 
tivity  trumps 
rising  wages. 


by  Trusted 
Computing 
Group  Inc. 
in  Portland, 

Ore.  Steven 
Sprague,  CEO 
of  IT  security 
vendor  Wave 
Systems  Corp. 
in  Lee,  Mass., 
says  that  in  four  or  five  years, 
as  companies  replace  their 
older  PCs,  all  corporate  desk¬ 
tops  and  laptops  should  be 
TPM-ready.  TPM  chips  can 
be  used  to  encrypt  e-mail 
messages  and  data  on  hard 
drives.  Most  important,  says 
Sprague,  the  technology  can 
authenticate  users  before  let¬ 
ting  them  on  corporate  net¬ 
works,  making  it  more  diffi¬ 
cult  for  unauthorized  people 
to  access  systems.  He  adds 
that  once  all  your  PCs  are 
TPM-enabled,  it  may  be  pos¬ 
sible  to  ditch  your  single 
sign-on  plans  because  you’ll 
be  able  to  use  the  initial  au¬ 
thentication  to  give  end  users 
access  to  all  their  applica¬ 
tions.  Sprague  says  the  TPM 
specification  for  mobile  de¬ 
vices  will  be  ready  by  the  end 
of  the  year.  Goodness.  What 
will  we  do  when  computing 
becomes  secure? 

A  lot  cheaper  and 
more  secure . . . 

. . .  than  PCs.  That’s  what  all 
thin-client  advocates  boast 
about  their  devices.  Yet,  ac¬ 
cording  to  market  research 
company  IDC,  thin  clients 
make  up  a  minuscule  1%  to 
2%  of  the  overall  desktop 
market.  That  doesn’t  dampen 
the  enthusiasm  of  Michael 
Kantrowitz,  CEO  of  Neoware 
Systems  Inc. 
in  King  of 
Prussia,  Pa. 
After  all, 
Fortune  mag¬ 
azine  just 
dubbed 
Neoware 
the  eighth- 
fastest-grow¬ 
ing  company 


in  the  U.S.,  and  IDC  ranks  it 
as  the  No.  2  thin-client  ven¬ 
dor  behind  Wyse  Technology 
Inc.  Kantrowitz  thinks  his 
company  is  on  a  trajectory  to 
pass  San  Jose-based  Wyse,  al¬ 
though  he  wouldn’t  say  when. 
Furthermore,  he  predicts  that 
by  2010,  as  much  as  10%  of 
desktop  systems  will  be  thin 
clients,  due  to  a  combination 
of  cost  issues  and  security 
concerns  that  TPM  technolo¬ 
gy  may  or  may  not  resolve. 
Kantrowitz  estimates  that  up 
to  90%  of  corporate  desktops 
could  be  replaced  by  thin 
clients,  but  he  acknowledges 
that  it  won’t  happen.  “PCs 
are  entrenched  in  IT  depart¬ 
ments  and  will  continue  to  be 
entrenched,”  he  says. 


CEOs,  even  CIOs, 
just  don’t  see . . . 

. . .  good  vendor  support.  That’s 
the  response  from  J.B.  Wood, 
president  of  the  Service  & 
Support  Professionals  Associ¬ 
ation  in  San  Diego,  to  a  recent 
item  here  about  IT  execs  tak¬ 
ing  aim  at  pricey  technical 
support  deals  [QuickLink 
53633].  “As  you  move  up  the 
IS  chain,  user-support  satis¬ 
faction  levels  go  down,  and 
the  perceived  value  of  the 
[service  and  support]  con¬ 
tract  goes 
down,”  Wood 
observes. 

Ironically,  a 
vendor’s  sup¬ 
port  gets 
management 
kudos  only 
when  the 
technology  is 
flaky,  he  says. 

“The  invisi¬ 
bility  of  good 
support  helps  systems  stay 
up,  drives  TCO  down  and  un¬ 
locks  business  benefits  that 
users  might  not  otherwise 
see,”  Wood  claims.  His  ad¬ 
vice:  When  you’re  renegotiat-  ’ 
ing  your  service  and  support 
contracts,  take  more  than 
those  annual  fees  into  ac¬ 
count.  O  54489 


WOOD: 

Execs  can’t  see 
service  and 
support  value. 


CIOs 

RELY 

ON 

THEM 


CFOs 

INSIST 

ON 

THEM 


If  there’s  one  thing  CIOs  and  CFOs  can  agree  on,  it’s  Fujitsu  PRIMERQY®  servers . 


Featuring  the  proven  reliability 
of  Intel®  Xeon™  processors,  PRIMERGY 
blade,  rack  and  tower  servers  give  CIOs  the 
power  to  drive  complex,  business-critical 
enterprise  applications  based  on  Linux  and 
Windows®  operating  systems. 
PRIMERGY  servers  also  provide 
a  low  total  cost  of  ownership  (TCO), 
delivering  the  reliability, 


PRIMERGY  RX600 
Rack  Server 


V'  *  m 


PRIMERGY  TX300 
Tower  Server 


PRIMERGY  BX600 
Blade  Server 


serviceability,  and  manageability  CFOs 
demand.To  help  maintain  high  performance 
and  lowTCO,  Fujitsu  features  Cool-Safe™ 
cooling  technology.  Developed  with  aviation 
simulation  techniques,  this  innovative,  new 
approach  to  thermal  management  optimizes 
processor  airflow  to  keep  PRIMERGY 
servers  running  at  peak  performance  in 
real-world  IT  environments. 


For  more  information  on  the  complete  line  of  PRIMERGY  servers 
and  how  Fujitsu  PRIMERGY  servers  can  bring  CIOs  and  CFOs  together,  visit 

us.fujitsu.com/computers/PRIMERGY  or  call  I  -800-83 1  -3 1 83. 


i  Fujitsu  Computer  Systems  Corporation.  All  nghts  reserved.  Fujitsu  and  the  Fujitsu  logo  are  registered  trademarks  of  Fujitsu  Limited  in  the  United  States  and  other  countries  PRIMERGY  .<  .1  reg  '-tered  tradem.uk.  n  .0:  >••  ■ 
of  Fujitsu  Siemens  Computers  GmbH  in  the  United  States  and  other  countries.  Intel.  Intel  logo,  Intel  Inside.  Intel  Inside  logo,  Intel  Xeon  are  trademarks  or  registered  tradema;  s.  01  !ut  ■'  O  portion  or  -u..  ;•  ••• 

United  States  and  other  countnes.  Windows  is  a  registered  trademark  of  Microsoft  Corporation. 
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IBM  Adds  New  Choice 
On  Configuration  DBs 

Claims  to  offer  first  truly  federated 
repository  for  IT  info;  others  disagree 


BY  MATT  HAMBLEN 

HEN  IBM  last 
week  detailed 
plans  to  release 
a  database  for 
consolidating  information 
about  system  configurations 
and  other  IT  settings,  it 
claimed  to  be  the  first  manage¬ 
ment  tools  vendor  to  announce 
“a  truly  federated  approach” 
for  pulling  together  such  data. 

But  that  claim  unleashed  a 
torrent  of  reactions  from  com¬ 
petitors  that  said  they  already 
offer  what  IBM  plans  to  roll 
out  later  this  year.  And  two 
technology  analysts  said  IBM’s 
Tivoli  unit  is  playing  catch-up 
to  other  vendors  on  the  con¬ 
figuration  management  data¬ 
base  (CMDB)  concept. 

Tivoli’s  upcoming  Change 
and  Configuration  Manage¬ 
ment  Database  software  and 
other  products  like  it  aim  to 
give  IT  managers  a  central 
repository  of  data  about  their 
technology  installations.  The 
use  of  a  single  management 
database  is  recommended  as 
part  of  the  IT  Infrastructure 
Library  (ITIL),  a  set  of  IT 
management  guidelines. 

Wayne  Fowler,  director  of 
server  and  systems  manage¬ 
ment  at  BMO  Financial  Group, 
said  the  Toronto-based  bank¬ 
ing  firm  is  devoted  to  ITIL 
practices.  “We’re  a  pure-play 
ITIL  shop,  and  we  take  a  reli¬ 
gious  approach  to  it,”  he  said. 

But  he  added  that  BMO 
plans  to  use  six  to  12  manage¬ 
ment  databases  from  different 
vendors  to  help  administer  the 
more  than  2  million  compo¬ 
nents  of  its  global  network. 
IBM’s  forthcoming  offering 
will  be  part  of  that  mix. 

BMO  has  been  a  Tivoli  cus¬ 
tomer  for  six  years.  But  it  also 
uses  BMC  Software  Inc.’s  IT 
service  desk  management 
tools  and  Peregrine  Systems 
Inc.’s  asset  management  soft¬ 


ware,  Fowler  noted.  “The  ap¬ 
proach  you  want  to  ask  from 
any  vendor  is,  ‘How  do  you  fit 
in  a  federated  environment,  or 
would  you  rather  try  to  rule 
the  world?’  ”  he  said. 

Lender’s  Service  Inc.,  which 
provides  property  valuation, 
title  and  closing  services  to 
lending  companies,  doesn’t 
use  a  federated  database  yet. 
But  Marc  Machin,  a  senior 
systems  engineer  at  LSI’s  San¬ 
ta  Ana,  Calif.,  office,  said  it 
would  be  desirable  to  have 


BY  THOMAS  HOFFMAN 

CHICAGO 

A  set  of  cybersecurity  stan¬ 
dards  proposed  by  the  North 
American  Electric  Reliability 
Council  (NERC)  are  too  de¬ 
tailed  in  some  instances,  at¬ 
tendees  at  an  industry  confer¬ 
ence  here  said  last  week. 

Users  at  the  Platts  Cyber  Se¬ 
curity  for  Utilities  conference 
said  that  if  the  proposal  is 
adopted,  it  could  lead  to  re¬ 
gional  differences  in  interpre¬ 
tation  and  extra  compliance 
work  for  information  security 
managers  at  electric  utilities. 

NERC’s  proposed  cyber¬ 
security  standards,  known  as 
CIP-002  through  CIP-009, 
cover  areas  ranging  from  the 
security  of  critical  cyberassets 
to  personnel  screening  and 
training  requirements. 

Charles  Noble,  a  member  of 
the  NERC  drafting  committee 
who  is  also  the  information  se¬ 
curity  coordinator  at  ISO  New 
England  in  Holyoke,  Mass., 
said  the  biggest  weakness  of 
the  proposal  is  that  it’s  too 
prescriptive  in  certain  areas, 
like  records  management, 
where  it  spells  out  the  number 
of  years  that  specific  types  of 
records  must  be  maintained. 


More  Tools 

IBM  also  announced  the 
following  Tivoli  products: 

■  Unified  Process,  an  ITIL- 
based  navigation  tool  that  pro¬ 
vides  information  for  mapping 
and  modifying  IT  processes. 

■  Process  Managers,  a  set  of 
packaged  software  that  auto¬ 
mates  change,  availability  and 
information  life-cycle  manage¬ 
ment  processes. 

■  Upgraded  provisioning  and 
configuration  management 
tools  that  track  data  center  re¬ 
sources  and  install  security 
patches. 


A  key  strength  of  the  pro¬ 
posal  is  that  it’s  being  driven 
by  utilities  and  not  by  the  fed¬ 
eral  government,  said  James 
Sample,  manager  of  informa¬ 
tion  security  services  at  Cali¬ 
fornia  Independent  System 
Operator  Corp.  in  Folsom. 
With  utility-driven  standards, 
“we  can  control  our  own 
destiny,”  Sample  said. 

Enforceability  Unclear 

NERC’s  membership  includes 
utilities  and  related  organiza¬ 
tions.  Its  mission  is  to  ensure 
the  reliability  of  bulk  power 
generation  in  North  America. 
As  a  volunteer  organization, 
its  standards  aren’t  currently 
enforceable. 

However,  the  energy  bill 
that’s  currently  being  debated 
by  the  U.S.  Senate  includes  a 
proposal  to  grant  NERC  regu¬ 
latory  authority.  And  even  if 
NERC’s  proposed  standards 
aren’t  eventually  approved  by 
its  members,  it’s  widely  be¬ 
lieved  that  the  Federal  Energy 
Regulatory  Commission 
(FERC)  or  state  regulatory 
authorities  would  step  in  to 
create  and  enforce  more-rigid 
cybersecurity  requirements. 

If  the  standards  aren’t  passed 


one  so  he  could  have  “one 
entry  point  to  look  at  every¬ 
thing.”  He  added  that  he  needs 
to  research  how  well  the  avail¬ 
able  databases  integrate  with 
other  tools. 

BMC  today  will  announce 
plans  to  combine  its  Patrol 
and  Patrol  Express  software 
to  create  a  product  called  Per¬ 
formance  Manager  that’s  de¬ 
signed  to  offer  users  both 
agent-based  and  agentless 
management  tools. 

The  two  Patrol  products  will 
be  bundled  under  a  single  li¬ 
cense  next  month,  and  BMC 
plans  to  integrate  them  with 
its  CMDB  next  year,  said  Tom 
Bishop,  who  was  named  chief 
technology  officer  at  the  Hous¬ 
ton-based  company  last  week. 
BMC  announced  its  CMDB  in 
January  and  has  shipped  the 
database  to  65  customers, 
according  to  Bishop. 


by  two-thirds  of  NERC’s  mem¬ 
bers  as  required,  “I  wouldn’t 
be  surprised  if  FERC  doesn’t 
jump  on  it,  make  it  a  federal 
regulation  and  toughen  up 
some  of  the  language,”  said 
Scott  McCoy,  director  of  secu¬ 
rity  at  Minneapolis-based  Xcel 
Energy  Inc. 

To  date,  NERC  members 
have  voted  on  two  drafts  of  the 
proposed  standards.  Earlier  this 
month,  the  council  posted  the 
third  draft,  which  members  will 
be  able  to  comment  on  for  a 
45-day  period.  In  late  July,  the 
NERC  drafting  committee  will 
post  a  final  draft  for  a  30-day 
review  before  the  next  round 
of  voting,  said  Larry  Bugh, 
chairman  of  the  NERC  stan¬ 
dard  drafting  team  and  man¬ 
ager  of  IT  for  the  East  Central 
Area  Reliability  Council,  one 
of  10  regional  NERC  units. 


HThe  biggest 
challenge  we 
face  is  the  corporate 
culture. 


JAMES  SAMPLE.  MANAGER  OF 
INFORMATION  SECURITY  SERVICES, 
CALIFORNIA  ISO 


Hewlett-Packard  Co.,  Com¬ 
puter  Associates  International 
Inc.  and  other  vendors  said 
they  also  have  federated  data¬ 
bases  for  consolidating  IT  in¬ 
formation.  For  example,  HP 
has  offered  a  CMDB  with  its 
OpenView  Service  Desk  soft¬ 
ware  since  1999,  said  Bill  Em¬ 
mett,  chief  solutions  officer 
for  HP’s  software  unit. 

IBM  plans  to  ship  a  limited 
release  of  the  Tivoli  database 
this  summer.  Mary  Johnston- 
Turner,  an  analyst  at  Summit 
Strategies  Inc.  in  Boston,  said 
the  upcoming  database  is  “ex¬ 
tremely  important . . .  because 
IBM  has  been  behind  on  ad¬ 
dressing  ITIL.”  O  54516 


SYSTEM  MANAGERS 

IBM  plans  two  upgrades  of  the  manage¬ 
ment  software  it  bundles  with  its  servers: 
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One  of  the  concerns  that  in¬ 
dustry  security  managers  have 
is  that  the  current  standard, 
known  as  UA 1200,  is  set  to 
expire  in  early  August,  thus 
leaving  a  gap  between  cyber¬ 
security  standards. 

Barry  Lawson,  manager  of 
power  delivery  at  the  National 
Rural  Electric  Cooperative  As¬ 
sociation,  said  he  believes 
most  utilities  will  continue  to 
abide  by  the  current  standard 
until  another  one  is  approved. 

Thomas  Kropp,  a  project 
manager  at  the  Electric  Power 
Research  Institute  in  Palo 
Alto,  Calif.,  noted  that  other 
cybersecurity  standards 
being  developed  by  organiza¬ 
tions  such  as  the  National 
Institute  of  Standards  and 
Technology  and  the  Institute 
of  Electrical  and  Electronics 
Engineers  Inc.  may  end  up 
imposing  conflicting  demands 
upon  utilities. 

If  and  when  NERC  cyberse¬ 
curity  standards  are  published 
and  regardless  of  how  their 
content  may  change,  utilities 
will  still  face  compliance  chal¬ 
lenges.  “The  biggest  challenge 
we  face  is  the  corporate  cul¬ 
ture”  in  terms  of  getting  plant 
operators  and  other  workers 
to  change  their  mind-sets 
about  security,  said  Sample. 
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Legendary  Reliability' 


Now  you  can  quickly  deploy  a 
standard-  or  high-density  site  of  any  size 
with  scalable,  top-tier  availability. 


Part 

Number 

Usable 

IT  Racks 

Average 
kW  per  Rack 

Price 
to  buy 

Price  to  lease 
(36  installments) 

ISXCR1SY16K16P5 

1 

up  to  5kW 

$1 4,999* 

$499~ 

ISXT240MD6R 

6 

up  to  5kW 

$1 49,999* 

$4,999~ 

ISXT240MD11R 

11 

up  to  5kW 

$249,999* 

$7,999** 

ISXT280MD40R 

40 

up  to  5kW 

$699,999* 

*21,999** 

ISXT2800MD100R 

100 

up  to  5kW 

$1 ,649,999* 

*50,999** 

High  Density  Configuration  (shown  above) 

ISXT280HD8R 

8 

up  to  lOkW 

$399,999* 

*12,999** 

All  multi-rack  configurations  feature: 

/  N+ 1  power  and  cooling 
if  Secure,  self-contained  environment 
if  Peak  capacity  of  20kW  per  rack 
if  Enhanced  service  package 
if  Integrated  management  software 


What  is 
data  center 
on  demand. 


High  density  Upgrades  Start  at  S1 0,999  lnfraStruXure“  Manager 

On-site  power  generation  options  start  at  s29,999 

Order  your  solution  today.  Call  888-289-APCC  x341 1. 
Visit  today  and  receive  FREE  APC  White  Papers 

Visit  us  online  and  download  APC  White  Papers. 

Don't  see  the  configuration  you  need? 


Infrastructure 

DATA  CENTERS  ON  DEMAND 

Highly  available  and  manageable, 
quick-to-install,  scalable  architecture 
that  easily  supports  both  standard- 
and  high-density  applications. 

-  Up  to  20kW  a  rack  for  any 
blade  server  application 

-  Unlimited  racks 

-  Ships  in  5  days*** 

-  Installs  in  I  day*** 

-  Optional  on-site  power 
generation 

-  Raised  floor  not  required 

-  Vendor  neutral  guaranteed 
compatibility 


InfraStruXure"  can  be  purchased  as  a 
modular,  or  mobile  system 


Try  APC's  online  InfraStruXure”  BuildOut  Tool  today  and  build  your  own  solution. 

Go  to  httpf/promojpcxom  and  enter  key  code  c188x  Call  888-289-APCC  x341 1 

InfraStruXure  BuildOut  Tool  .  ^  ,nc|u(je  |j  equipment  and  ate  subject  to  change  "  Indicative  rates  are  subject  to  market  conditions  ***  Install  and  delivery  times  may  vary 


Legendary  Reliability* 


Introducing  data  centers  on  demand 

New  architecture  supports  power  densities  of  today...  and  tomorrow 


NetworkAIR  "  !R 

In-row  air  conditioner 
cools  hot  chamber  air 

Power 
Distribution 
Unit  IPDU) 

*Y^  : 

Seals  in  hot  air.  prevents  mixing  with  room  air 


t-JBEST  OF  INTEROP 


BLADE 

READY 


APC  solutions  that  carry 
the  " Blade-Ready "  Logo 
are  designed  to  handle  the 
demanding  network-critical 
physical  infrastructure 
requirements  of  high-density 
blade  server  applications. 


Chamber  Doors 

Access  to  hot  aisle, 
locks  for  security 
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Nortel,  IBM  to 
Build  Network  Gear 


Nortel  Networks  Corp.  and  IBM 
have  agreed  to  jointly  develop 
networking  products  for  the  tele¬ 
communications  industry.  They 
will  initially  focus  on  developing 
carrier-grade  servers  for  commu¬ 
nications  providers.  Those  prod¬ 
ucts  will  be  based  on  IBM's 
BladeCenter  server  design.  The 
companies  have  created  a  30- 
person  joint  development  center 
in  Research  Triangle  Park,  N.C. 


CEO  Otellini  Begins 
New  Era  at  Intel 

Paul  Otellini  has  become  the  fifth 
CEO  in  Intel  Corp.'s  37-year  his¬ 
tory  -  and  he’s  the  first  person 
without  an  engineering  back¬ 
ground  to  rise  to  the  top  spot 
there.  Otellini  replaces  Craig 
Barrett,  Intel’s  CEO  since  1998, 
who  will  become  chairman.  Andy 
Grove,  the  current  chairman,  will 
step  down  from  the  board  but 
continue  to  advise  Intel’s  leaders. 


BT  Group  Posts 
Sales,  Profit  Gains 

BT  Group  PLC  credited  its  “new 
wave”  offerings  -  information 
and  communications  technology, 
as  well  as  broadband  and  mobility 
services  -  for  increases  in  rev¬ 
enue  and  profit  in  its  fourth  fiscal 
quarter,  which  ended  March  31. 


BT  GROUP  BY  THE  NUMBERS 


REVENUE  PROFIT 


Fujitsu  Shipping 
High-End  Sparc  CPU 

Fujitsu  Computer  Systems  Corp. 
is  shipping  a  faster  version  of  its 
Sparc64  V  processor  with  certain 
PrimePower  Unix  servers.  The 
company  said  five  PrimePower 
models  will  ship  with  a  2.08-GHz 
Sparc64  V  CPU  with  4MB  of  on- 
chip  cache.  Fujitsu  wouldn’t  say 
whether  it  plans  to  ship  the  new 
chips  with  its  low-end  Prime- 
Power  250  and  450  systems. 
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Ten  Tech  Firms  License 
SAP’s  ESA  Middleware 


CEO  also  hints  at 
pricing  moves  at 
the  Sapphire  event 

BY  MARC  L.  SONGINI 

BOSTON 

ap  ag  last  week  said 
that  10  technology 
companies,  including 
Microsoft  Corp.,  Cisco 
Systems  Inc.  and  Computer 
Associates  International  Inc., 
have  licensed  its  Enterprise 
Services  Architecture  (ESA) 
as  it  continues  to  extend  its 
service-oriented  architecture 
platform. 

At  its  Sapphire  2005  user 
event  here,  the  ERP  and  busi¬ 
ness  applications  vendor  tout¬ 
ed  the  Web-based  ESA  and 
its  centerpiece  NetWeaver 
middleware  technology,  which 
can  be  used  to  integrate  SAP’s 
mySAP  suite  with  homegrown 
and  third-party  applications. 


In  addition,  Henning  Kager- 
mann,  chairman  and  CEO  of 
SAP,  hinted  that  as  the  ESA 
stack  evolves,  SAP  might 
change  its  current,  traditional 
licensing  policy  to  what  he 
called  “value-based  pricing.” 

User  Interest 

Users  at  the  conference  said 
they  are  closely  watching  the 
evolution  of  ESA. 

The  NetWeaver  stack  is  “ab¬ 
solutely  part  of  our  business 
strategy,”  said  Ed  Deenihan, 
vice  president  of  global  ser¬ 
vices  at  Network  Appliance 
Inc.,  a  storage  systems  and 
services  provider  and  an  SAP 
partner. 

Deenihan  said  his  company 
is  looking  to  integrate  its  re¬ 
mote  and  on-site  support  of¬ 
ferings.  By  using  NetWeaver, 
he  said,  “we  don’t  think  we 
have  to  rip  out  what  we’ve  al¬ 
ready  done.  The  key  is  we  can 


evolve  at  the  pace  that  a  cus¬ 
tomer  wants.” 

Edward  Pisula  Jr.,  director 
of  corporate  IT  at  Respironics 
Inc.,  a  Murrysville,  Pa.-based 
maker  of  respiratory  devices, 
said  the  NetWeaver  platform 
can  be  used  to  tweak  his  com¬ 
pany’s  software  for  competi¬ 
tive  advantage. 

Respironics  now  runs  SAP’s 
R/3  ERP  and  Business  Ware¬ 
house  business  intelligence 
applications.  Pisula  said  Net- 
Weaver  could  make  SAP’s  pro¬ 
prietary  ABAP  programming 
language  easier  to  use  by 
crafting  simple  user  interfaces 
that  provide  users  with  perti¬ 
nent  data  via  a  portal. 

As  for  value-based  pricing, 
Pisula  said  the  jury  is  still  out. 
“I’m  willing  to  listen,”  he  said. 

Ralph  Loura,  vice  president 
and  CIO  at  Holtsville,  N.Y.- 
based  wireless  products  pro¬ 
vider  Symbol  Technologies 


Inc.,  said  that  although  value- 
based  pricing  is  an  interesting 
concept,  he  would  need  more 
details  before  making  a  deci¬ 
sion  about  it. 

NetWeaver  has  the  potential 
to  provide  something  that 
software  vendors  have  been 
promising  for  10  years  in 
terms  of  creating  complete 
workflows,  but  there  are  sig¬ 
nificant  technical  problems, 
said  David  Dobrin,  an  analyst 
at  consultancy  B2B  Analysts 
Inc.  in  Boston.  “You  have  to 
make  sure  the  puzzle  pieces  fit 
together  right,”  he  said.  “You 
can’t  just  take  a  few  pieces 
here  and  there  and  expect  to 
make  it  all  work.” 

Meanwhile,  SAP  also  an¬ 
nounced  mySAP  CRM  2005 
at  the  user  conference. 

The  new  system  includes 
enhanced  marketing  capabili¬ 
ties,  including  an  e-mail  re¬ 
sponse  management  tool,  and 
service  management  improve¬ 
ments  to  let  users  automate 
the  handling  of  warranties,  re¬ 
turns  and  other  processes. 

The  CRM  application  is 
slated  to  ship  in  October. 

©  54537 


N.J.  Police  Charge  Nine  for  Stealing  Bank  Account  Data 


Thefts  allegedly  involved  bank  workers, 
took  place  over  a  four-year  period 


BY  TODD  R.  WEISS 

Hundreds  of  thousands  of 
electronic  account  records 
were  allegedly  stolen  from 
four  hanks  and  sold  to  collec¬ 
tion  agencies  and  law  firms  by 
a  New  Jersey  data-theft  ring 
that  included  seven  bank  em¬ 
ployees,  according  to  police  in 
the  city  of  Hackensack. 

The  Hackensack  Police  De¬ 
partment  last  week  increased 
the  total  number  of  customer 
accounts  that  allegedly  were 
breached  to  about  676,000. 
That’s  up  from  the  initial 
count  of  500,000  records. 

“This  thing’s  getting  bigger 
and  bigger,”  Hackensack  Po¬ 
lice  Capt.  Frank  Lomia  said. 
“It’s  still  growing.  The  banks 
are  uncovering  more  accounts 
than  we  knew  about.” 

The  case  has  so  far  led  to 


criminal  charges  against  nine 
people,  and  the  Hackensack 
police  are  continuing  their  in¬ 
vestigation  into  the  alleged 
thefts  by  the  group,  which  is 
believed  to  have  operated  for 
more  than  four  years.  The  U.S. 
Department  of  the  Treasury 
and  the  Internal  Revenue  Ser¬ 
vice  also  are  involved  in  the 
investigation,  police  said. 

Insiders  Suspected 

The  police  department  an¬ 
nounced  the  arrests  of  the 
nine  suspects  on  April  28. 
They  were  charged  with  ille¬ 
gally  selling  personal  informa¬ 
tion  stolen  from  bank  and 
New  Jersey  state  computer 
databases.  The  suspects  cap¬ 
tured  screen  images  of  some 
records  and  printed  out  oth¬ 
ers,  police  said. 


Police  allege  that  a  35-year- 
old  Hackensack  resident  set 
up  an  unlicensed  company  as 
a  collection  agency  and  a  busi¬ 
ness  for  locating  individuals 
who  had  defaulted  on  pay¬ 
ments.  He  allegedly  paid  the 
bank  employees  to  provide 
him  with  data  about  custom¬ 
ers,  including  their  names,  ac¬ 
count  numbers  and  balances. 

The  employees  worked  for 
Wachovia  Corp.,  Bank  of 
America  Corp.,  Commerce 

H  This  thing’s 
getting  bigger 
and  bigger. . . . 

The  banks  are 
uncovering  more 
accounts  than  we 
knew  about. 


CAPT.  FRANK  LOMIA, 

HACKENSACK  POLICE  DEPARTMENT 


Bancorp  Inc.  and  PNC  Bank 
NA,  according  to  the  allega¬ 
tions.  None  were  IT  staffers. 

Fran  Durst,  a  spokeswoman 
for  Wachovia,  said  the  Hack¬ 
ensack  police  have  released 
the  names  of  300,000  people 
whose  information  may  have 
been  stolen.  Wachovia  is  noti¬ 
fying  about  14,000  of  its  cus¬ 
tomers  whose  names  were  on 
the  list,  she  said. 

Bank  of  America  hasn’t  re¬ 
vealed  the  number  of  its  cus¬ 
tomers  who  may  have  been 
affected  by  the  data  thefts. 
Spokeswoman  Alexandra  Lift¬ 
man  would  say  only  that  the 
bank  has  communicated  with 
about  75  customers  whose 
records  are  known  to  have 
been  accessed. 

A  spokesman  for  PNC  Bank 
said  it  has  identified  only  12 
customers  who  might  be  af¬ 
fected.  Officials  at  Commerce 
Bank  couldn’t  be  reached  for 
comment  last  week.  ©  54542 
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Fujitsu  Expands  Market 
For  Biometric  System 

TOKYO 

Fujitsu  ltd.  last  week  announced 
that  it  will  begin  selling  its  palm- 
vein  biometric  security  system 
outside  Japan  by  the  end  of  this  year. 

The  system,  which  uses  the  pattern 
of  veins  inside  a  person’s  hand  to  veri¬ 
fy  his  identity,  has  been  available  in 
Japan  since  mid-2004  and  is  already 
being  used  in  some  high-profile  appli¬ 
cations. 

For  example,  The  Bank  of  Tokyo- 
Mitsubishi  Ltd.,  Japan’s  third-largest 
retail  bank,  began  rolling  out  the  tech¬ 
nology  last  October  in  its  267  branches 
as  an  alternative  to  personal  identifica¬ 
tion  numbers  for  ATM 
transactions.  About  half 
of  the  bank’s  3,000  ATMs 
will  have  the  system  by 
September. 

The  product  being 
offered  by  Tokyo-based 
Fujitsu  includes  a  scan¬ 
ner  that  is  similar  to  a 
digital  camera  but  works 
in  the  near-infrared 
range,  so  it  can  detect 
veins.  The  system  then 


uses  a  proprietary  algorithm  to  match 
the  images  produced  by  the  scanner 
to  a  database  for  verification,  taking 
into  account  the  number  of  veins, 
their  position  and  the  points  at  which 
they  cross. 

■  MARTYN  WILLIAMS,  IDG  NEWS  SERVICE 


Sabre  to  Pay  $1B  for 
U.K.’s  Lastminute.com 

LONDON 

abre  holdings  CORP.,  the  oper¬ 
ator  of  Travelocity.com  LP,  an¬ 
nounced  May  12  that  it  plans  to 
create  Europe’s  largest  online  travel 
agency  by  acquiring  London-based 
Lastminute.com  PLC  for  £577  million 
($1.08  billion  U.S.). 

Technically,  the  acqui¬ 
sition  will  be  made  by 
Travelocity  Europe  Ltd., 
an  indirect  subsidiary 
that  Southlake,  Texas- 
based  Sabre  established 
for  the  purpose  of  exe¬ 
cuting  the  deal. 

Sabre,  which  expects 
to  close  the  acquisition 
by  the  end  of  July,  said 
that  the  combined  Trave¬ 
locity  and  Lastminute.- 


com  business  will  have  strong  posi¬ 
tions  in  the  U.K.,  France,  Germany, 
Italy,  Scandinavia  and  Spain. 

■  LAURA  ROHDE,  IDG  NEWS  SERVICE 


Asian  Telecom  Carrier 
Taps  Java  for  Operations 

TOKYO 

un  microsystems  inc.  last  week 
announced  that  it  will  supply 
software  and  servers  to  KT  Corp., 
South  Korea’s  dominant  telecommu¬ 
nications  carrier,  under  a  deal  that  Sun 
says  advances  the  use  of  Java  in  that 
industry’s  back-end  systems. 

Seoul-based  KT,  formerly  known  as 
Korea  Telecom,  will  use  Java  applica¬ 
tion  programming  interfaces  (API), 
J2EE  middleware  and  servers  running 
Solaris  to  tie  together  the  network 
management,  provisioning  and  billing 
systems  that  support  its  nationwide 
broadband  network. 

Sun  and  KT  will  jointly  develop  the 
operational  support  system,  or  OSS,  as 
it’s  known  among  telecom  carriers. 

The  deal  is  part  of  Sun’s  “OSS  through 
Java”  initiative,  which  uses  Java  APIs  to 
integrate  components  of  operational 
and  business  support  systems  in  the 
telecommunications  sector.  That  in¬ 
dustry  is  Sun’s  biggest  vertical  market 
globally.  ©  54501 

■  MARTYN  WILLIAMS,  IDG  NEWS  SERVICE 
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of  broadband  Internet 
subscribers  in  China 
by  year’s  end. 
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Briefly  Noted 

Cuba’s  daily  newspaper  reported 
last  week  that  the  government 
will  gradually  switch  from  Windows 
to  the  Linux  operating  system  on 
all  PCs,  according  to  the  Agence 
France  Press  news  service.  Roberto 
del  Puerto,  director  of  the  country’s 
IT  office,  told  the  government  daily 
that  Cuba  already  has  about  1,500 
Linux  computers  in  place. 


Xenos  Group  Inc.,  based  near 
Toronto,  announced  last  week  that 
BCEE  (Banque  et  Caisse  d’Epargne 
de  I’Etat  du  Luxembourg),  the 
largest  bank  in  Luxembourg,  plans 
to  install  its  d2e  document  manage¬ 
ment  software.  The  Xenos  software 
will  be  integrated  with  a  content 
management  system  from  EMC 
Corp.’s  Documentum  unit. 


Two  global  outsourcing  advisory 
firms  based  on  different  sides  of  the 
Atlantic  merged  last  week.  Trow¬ 
bridge  Group  in  Addison,  Texas,  and 
London-based  ALS  Consulting  Ltd. 
said  they  have  combined  to  form 
Alsbridge  Ltd.,  which  will  have  of¬ 
fices  in  both  locations. 


Continued  from  page  1 

EMC 

Symmetrix  was  three  or  four 
years  ago,”  said  John  Hegner, 
vice  president  of  technology 
services  at  Liberty  Medical 
Supply  Inc.  in  Port  St.  Lucie, 
Fla.  “Except  for  the  highest 
feature  functionality,  I  don’t 
see  a  place  for  Symmetrix.” 

Hegner  manages  more  than 
50TB  of  data  stored  in  Clari- 
ion  arrays.  Liberty  Medical 
doesn’t  use  any  Symmetrix 
systems,  he  said. 

Michael  Berthiaume,  a 
systems  analyst  at  American 
Power  Conversion  Corp.  in 
West  Kingston,  R.I.,  said  his 
company  recently  replaced 
two  older  Symmetrix  8530 
arrays  with  one  high-end 
DMX  and  one  Clariion  CX700 
array,  achieving  a  “signifi¬ 
cant”  return  on  investment. 

The  Clariion  array,  which 


can  use  either  higher-end 
Fibre  Channel  disk  drives  or 
lower-cost  Advanced  Technol¬ 
ogy  Attachment  disks,  is  used 
by  Berthiaume’s  shop  for  ap¬ 
plications  such  as  Lotus  Notes 
and  software  from  Oracle 
Corp.  and  Siebel  Systems  Inc. 
The  DMX  array  is  used  almost 
exclusively  for  CRM  applica¬ 
tions,  he  said. 

In  the  quarter  that  ended 
March  31,  sales  of  Clariion  sys¬ 
tems  totaled  $419  million,  up 
47%  from  $285  million  in  the 
year-earlier  period.  First-quar¬ 
ter  2005  sales  of  Symmetrix 
systems,  in  contrast,  declined 
3%  to  $652  million. 

Mark  Lewis,  EMC’s  chief 
development  officer,  said  that 
the  company  is  welcoming  the 
movement  of  Symmetrix  users 
to  midrange  systems. 

“We  just  want  to  be  change 
embracers,”  Lewis  said.  “At  the 
end  of  the  day,  bring  it  on.  Let 
it  happen.  The  only  risk  you 


always  have  is  sticking  your 
head  in  the  sand.” 

Joel  Schwartz,  general 
manager  of  EMC’s  midrange 
systems  division,  said  that 
while  Symmetrix  will  remain 
a  standard  for  highly  resilient 
and  high-throughput  systems, 
he  isn’t  troubled  by  the  user 


Upgraded  Clariion 

High-end  functionality  on 

EMC's  midrange  arrays: 

■  Local  point-in-time  copies 
(SnapView) 

■  Remote  synchronous  and 
asynchronous  replication 
(MirrorView) 

■  Full  or  incremental  copies 
between  SANs  (SAN  Copy) 

■  Web-based  LUN  provisioning 
(Navisphere  Management  Suite) 

■  Centralized  storage  resource 
management  (Visual  SRM) 


movement  away  from  the 
line.  “If  you  don’t  cannibalize 
yourself,  someone  else  will,” 
he  said. 

Financial  Returns 

Paul  Stonchus,  data  center 
manager  at  MidAmerica  Bank 
in  Clarendon  Hills,  Ill.,  said  he 
thinks  EMC’s  midrange  and 
high-end  arrays  will  merge 
over  the  next  10  years  to  be¬ 
come  a  single  line  based  on 
the  best  of  their  technologies. 
“The  disk  form  factor  is  the 
same.  If  they  merge,  then  you 
only  have  one  R&D  cost  that 
would  be  less,”  said  Stonchus, 
whose  bank  has  a  mix  of 
EMC’s  Symmetrix,  Clariion 
and  Centera  fixed-data  arrays. 

Tony  Prigmore,  an  analyst  at 
Enterprise  Strategy  Group  Inc. 
in  Milford,  Mass.,  also  said  he 
thinks  EMC  will  eventually 
move  to  a  combined  storage 
platform  with  a  common  set  of 
code,  storage  applications  and 


physical  components.  He  pre¬ 
dicted  that  such  a  move  by 
EMC  would  accompany  an  in¬ 
dustrywide  convergence  of 
midrange  and  high-end  systems. 

Prigmore  pointed  to  IBM’s 
release  last  fall  of  its  Total- 
Storage  DS8000  line  of  arrays, 
which  includes  both  high-end 
and  midrange  systems  that 
share  common  applications 
and  management  software. 

“We  anticipate  seeing  that 
same  thing  with  Hitachi  Data 
Systems,”  he  said. 

Prigmore  said  it  makes 
sense  that  users  would  stick 
with  high-end  arrays  if  they  al¬ 
ready  had  significant  invest¬ 
ments  in  storage  software  and 
staff  trained  to  support  those 
systems.  But,  he  added,  “the 
gap  is  closing  here,  percep¬ 
tion-wise.”  0  54521 
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EMC  will  ship  its  long-awaited  virtualization 
technology  in  the  third  quarter.  Page  14 
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collection  is 
key  to  auditing 
controls. 


Continued  from  page  1 

Compliance 

gence  Corp.  in  Westwood, 
Mass.,  to  manage  the  log  data 
generated  by  its  firewalls. 
Calpine  later  connected  its 
other  security  devices  and  its 
routers  and  switches  to  the  ap¬ 
pliance,  said  Sean  Curry,  the 
company’s  infrastructure  engi¬ 
neering  manager. 

Then  the 
company  real¬ 
ized  that  the 
appliance 
could  gather 
and  normalize 
log  informa¬ 
tion  from  its 
Windows  and 
Unix  applica¬ 
tion  servers 
without  re¬ 
quiring  agents 
to  be  installed 
on  those  systems,  Curry  said. 
That  has  made  it  ideal  for  com¬ 
pliance  reporting,  he  noted. 

Calpine  began  using  the  ap¬ 
pliance  to  collect  information 
from  the  servers  in  January  as 
part  of  an  effort  to  streamline 
its  Sarbanes-Oxley  Act  com¬ 
pliance  efforts.  Curry  said  the 
appliance  now  handles  an  av¬ 
erage  of  2,200  log  items  per 
second  altogether. 

Adding  to  its  appeal  are 
functions  that  let  Calpine’s  in¬ 
ternal  auditors  directly  gener¬ 
ate  the  reports  they  need 
without  involving  systems  ad¬ 
ministrators.  “We’ve  been  able 
to  delegate  the  logs  out  of  the 
systems  administrator’s  con¬ 
trol,”  Curry  said. 

Catholic  Healthcare  Part¬ 
ners,  a  large  health  care  sys¬ 
tem  based  in  Cincinnati,  is  de¬ 
ploying  a  similar  device  made 
by  Intellitactics  Inc.  in  Reston, 
Va.,  to  manage  log  data  from 
more  than  2,000  servers 
spread  across  its  10  operating 
regions  and  two  data  centers. 

“If  I  spent  five  minutes  per 
day  looking  at  the  logs  from 
each  system,  it  would  take  me 
20  man-days  per  day  to  look  at 
everything.  It  was  just  too  un¬ 
reasonable,”  said  Tim  Harri¬ 
son,  information  security  offi¬ 
cer  at  Catholic  Healthcare. 

But  the  Health  Insurance 
Portability  and  Accountability 


Act  mandates  that  companies 
demonstrate  that  they  have 
the  necessary  controls  in  place 
for  protecting  sensitive  data. 
Harrison  said  the  Intellitactics 
appliance  will  eventually  help 
Catholic  Healthcare  deal  with 
roughly  100  million  log  items 
every  day,  including  data  gath¬ 
ered  from  all  of  the  company’s 
myriad  security  devices. 

The  appliance  is  expected 
to  allow  security  teams  and 
systems  administrators  to  get 
detailed  views  of  log  informa¬ 
tion  pertaining  to  their  specif¬ 
ic  domains,  he  said.  In  addi¬ 
tion,  the  company’s  auditors 
should  be  able  to  specify  the 
kind  of  data  they  need  to  see 
for  compliance  purposes. 

Two- Pronged  Approach 

Michael  Gabriel,  corporate  IT 
security  manager  at  Hoffman 
Estates,  Ill.-based  Career  Edu¬ 
cation  Corp.,  a  $1.73  billion 
provider  of  postsecondary  ed¬ 
ucation,  said  there  are  two  as¬ 
pects  to  auditing  internal  con¬ 
trols  on  end  users’  access  to 
systems  and  data. 

“There’s  the  part  that  deals 
with  the  collection  of  the  data, 
and  there’s  the  part  that  deals 


User  Demand  Sparks  Vendor  Changes 


THE  INCREASING  USE  of  secu¬ 
rity  event  and  information  man¬ 
agement  appliances  for  regulato¬ 
ry  compliance  reporting  is 
prompting  some  vendors  to 
tweak  their  product  development 
and  marketing  strategies. 

Last  week,  for  instance,  San 
Jose-based  NetlQ  Corp.  an¬ 
nounced  compliance-oriented 
versions  of  its  security  event 
management  products.  Its  Secu¬ 
rity  Compliance  Suite  comes  in 
two  flavors  and  features  a  new 
log-management  component  and 
templates  designed  to  help  com¬ 
panies  assess  and  report  on  their 
compliance  with  laws  such  as  the 
Sarbanes-Oxley  Act,  HIPAA  and 
the  Gramm-Leach-Bliley  Act. 

with  the  mining  of  the  data  for 
useful  information,”  Gabriel 
said.  “If  you  aren’t  doing  the 
first  one  right,  the  second 
doesn’t  matter.” 

Career  Education  is  using 
a  product  from  Edison,  N.J- 
based  NetForensics  Inc.  to  col¬ 
lect  about  6  million  log  items 
per  day  from  its  systems.  The 


In  March,  Network  Intelligence 
upgraded  its  enVision  security 
event  management  suite  with  a 
new  compliance-reporting  dash¬ 
board  and  functions  for  gathering 
log  information  from  a  wider  set 
of  sources,  including  IBM’s  older 
OS/390  mainframes  and  AS/400 
systems  and  Web  servers  that 
run  Microsoft  Corp.’s  Internet  In¬ 
formation  Services  software. 

Market  forces  are  driving  the 
changes,  said  Jim  Melvin,  vice 
president  of  marketing  at  Net¬ 
work  Intelligence.  The  tools  were 
once  used  purely  for  collecting  in¬ 
formation  from  firewalls  and  intru¬ 
sion-detection  systems  to  sup¬ 
port  IT  security  efforts,  Melvin 
said.  But  over  the  past  two  quar- 

technology  has  “put  us  in  a 
position  where  we  can  dem¬ 
onstrate  we  have  all  the  need¬ 
ed  controls,”  Gabriel  said. 

“The  ability  of  these  tools  to 
centralize  reporting  capabili¬ 
ties  is  one  of  their  chief  values 
from  an  auditing  and  compli¬ 
ance  standpoint,”  said  Scott 
Crawford,  an  analyst  at  Enter- 


ters,  demand  from  security  users 
has  been  matched  by  interest 
from  companies  looking  to  use 
the  products  for  compliance  re¬ 
porting,  he  said. 

Pam  Casale,  vice  president  of 
product  management  at  Intellitac¬ 
tics,  said  the  company  added  fea¬ 
tures  for  automating  log  monitor¬ 
ing  and  reporting  in  April  after  it 
also  started  seeing  increasing  de¬ 
mand  for  such  capabilities. 

“It’s  changing  the  way  we  de¬ 
velop  products,"  said  Tom  Fola- 
dare,  senior  director  of  business 
development  at  NetForensics. 

“Now  we  worry  about  asset  groups 
and  business  processes  and  be¬ 
ing  able  to  take  every  server  that 
is  dealing  with  a  SOX  issue  and 
put  them  into  different  groups.” 

-  Jaikumar  Vijayan 

prise  Management  Associates 
Inc.  in  Boulder,  Colo. 

Gartner’s  Williams  noted 
that  the  technology’s  support 
for  collecting  information 
from  virtually  any  source  has 
made  it  ideal  for  monitoring 
activity  on  sensitive  systems 
such  as  accounting  and  human 
resources.  ©  54539 


EMC  Sets  Pricing,  Availability 
Of  Virtualization  Technology 


BY  LUCAS  MEARIAN 

NEW  ORLEANS 

EMC  Corp.  formally  an¬ 
nounced  a  shipping  schedule 
for  its  long-awaited  storage 
virtualization  technology  last 
week  at  its  annual  user  confer¬ 
ence  here. 

EMC  officials  acknowl¬ 
edged  that  the  availability  of 
Invista,  code-named  Storage 
Router,  is  a  quarter  behind 
schedule.  Company  executives 
attributed  the  delay  to  “com¬ 
mon”  development  issues. 

Users  interviewed  last  week 
downplayed  the  delay,  saying 
that  they  are  in  no  rush  to  im¬ 
plement  the  technology,  which 
is  priced  starting  at  $225,000. 

The  new  Invista  system  will 
reside  on  products  from  three 
leading  switch  vendors  and 
will  be  generally  available  next 
quarter,  said  Mark  Lewis,  chief 


development  officer  at  EMC. 

Paul  Stonchus,  a  data  center 
manager  at  MidAmerica  Bank 
in  Clarendon  Hills,  Ill.,  said 
that  he  has  EMC  Symmetrix, 
Clariion  and  Centera  arrays  in 
his  data  center  and  would 
eventually  like  to  use  Invista  to 
migrate  data  across  arrays.  But 
he  noted  that  he’s  not  yet 
ready  to  “reinvent  the  wheel.” 

“I’m  intrigued  by  it,”  he  said. 
“Once  we  decide  to  cross  our 
Clariion  and  Symmetrix  [envi¬ 
ronments],  it  will  make  all  the 
sense  in  the  world.  But  for 
now,  I’ll  wait  for  Rev.  2.” 

Speaking  at  EMC’s  Technol¬ 
ogy  Summit  here,  Lewis  told 
about  4,000  attendees  that 
Invista  will  be  most  valuable 
in  migrating  data  off  aging 
systems  or  from  one  box  to 
another  during  software  up¬ 
grades  in  order  to  avoid  dis¬ 


rupting  applications. 

Michael  Berthiaume,  a  sys¬ 
tems  analyst  at  American 
Power  Conversion  Corp.,  said 
he’s  interested  in  Invista  be¬ 
cause  it  could  eliminate 
planned  downtime  in  data  mi¬ 
grations  of  applications  like 
Lotus  Notes,  Oracle  and  Siebel 
from  high-end  systems  to 
midrange  systems  for  better 
price  performance. 

Product  Plans 

According  to  Lewis,  the  first 
version  of  Invista  will  reside 
on  EMC’s  own  Connetrix 
switches,  Cisco  Systems  Inc.’s 
MDS  line  of  switches  and  Bro¬ 
cade  Communications  Sys¬ 
tems  Inc.’s  multiprotocol 
switches.  It  is  expected  to  be 
available  on  McData  Corp.’s 
switches  in  early  2006. 

The  switch-based  virtualiza¬ 
tion  firmware  will  support  all 
of  EMC’s  Clariion  and  Sym¬ 
metrix  storage  offerings,  as 
well  as  systems  from  Hewlett- 
Packard  Co.,  IBM  and  Hitachi 


Data  Systems  Corp.,  according 
to  Lewis. 

Nancy  Hurley,  an  analyst  at 
Enterprise  Strategy  Group  Inc. 
in  Milford,  Mass.,  said  that 
while  EMC  is  the  last  of  the 
leading  vendors  to  release  a 
virtualization  product  of  this 
caliber,  the  gradual  adoption 
of  virtualization  technologies 
will  allow  it  to  gain  adequate 
market  share.  IBM,  Network 
Appliance  Inc.,  HP  and  Hi¬ 
tachi  are  already  selling  com¬ 
petitive  systems. 

Mario  Arbelaez,  a  storage 
engineer  at  software  vendor 
Acxiom  Corp.  in  Little  Rock, 
Ark.,  said  he  would  like  to 
evaluate  Invista  because  mi¬ 
grating  data  when  upgrading 
storage  management  software 
causes  application  downtime. 
Arbelaez,  who  has  storage 
from  HP,  IBM,  Storage  Tech¬ 
nology  Corp.  and  EMC,  said 
Invista’s  $225,000  price  tag 
isn’t  too  expensive  “when 
you’re  talking  trying  to  mi¬ 
grate  25TB  of  data.”  ©  54519 
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DON  TENNANT 


A  Matter  of  Image 


OW’S  THIS  FOR  BAD  LUCK?  You’re  a 
bank,  and  your  check-sorting  machine 
goofs  up  and  puts  canceled  checks  in 
the  wrong  statement  envelope  so 
they’re  sent  out  to  the  wrong  cus¬ 
tomer.  How’s  this  for  worse  luck?  The  wrong  cus¬ 
tomer  is  a  journalist.  Me. 

You  can  imagine  my 


betuddlement  when  I 
opened  my  bank  state¬ 
ment  a  couple  of  weeks 
ago  and  found  five  can¬ 
celed  checks  that  weren’t 
mine.  The  checks  were 
written  by  another  cus¬ 
tomer  here  in  Massachu¬ 
setts,  a  person  we’ll  call 
“Joan  Day.”  We’ll  call  her 
that  for  two  reasons: 

First,  it’s  not  her  real 
name;  second,  “Jane  Doe” 
is  way  overused. 

Now,  from  these  checks,  here’s 
what  I  know  about  loan:  Her  name, 
husband’s  name,  address,  home 
phone  number,  driver’s  license  num¬ 
ber  and  expiration  date,  date  of  birth 
and  checking  account  number.  I  also 
have  five  signature  samples.  Oh,  and 
1  know  where  Joan  likes  to  shop,  and 
that  she  has  a  kid  taking  gymnastics. 

This  compromise  of  Joan’s  person¬ 
al  information  was  bad  news  —  not 
only  for  loan,  but  for  the  bank  whose 
mistake  allowed  it  to  happen.  Citi¬ 
zens  Bank,  an  arm  of  Citizens  Finan¬ 
cial  Group  Inc  in  Providence,  R.I.,  is 
aware  that  any  bank’s  lifeblood  is  the 
confidence  of  its  customers,  and  that 
includes  confidence  that  personal 
privacy  will  be  protected. 

So,  how!  does  something  like  this 
fiappen?  According,  to  Avivah  Litan, 
an  analyst  at  Gartner  Inc.,  it’s  “slop¬ 
py  work”  that’s  “really  inexcusable.” 

Litan  contends  that  banks’  check¬ 
processing  resources  “are  being  tun¬ 
neled  to  electronic  image  capture  at 
the  expense  of  the  manual  check¬ 
handling  process.” 

Interesting  that  Litan  mentioned 
electronic  image  capture.  It  so  hap- 
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pens  that  my  statement 
envelope  contained  a 
brochure  inviting  me  to 
opt  for  check  imaging. 
The  brochure  promoted 
the  service,  which  would 
provide  images  of  the 
checks  on  the  statement 
rather  than  the  canceled 
checks  themselves,  as 
one  that  would  “reduce 
the  risk  of  misplacing  a 
canceled  check.”  I  don’t 
think  they  were  referring 
to  the  risk  of  the  bank  misplacing  it, 
but  you  get  the  idea. 

The  good  news  is  that  when  I 
informed  the  bank  of  the  breach, 
the  matter  was  taken  seriously.  A 
spokeswoman  said  Joan  would  be 
notified  immediately,  receive  an 
apology  and  be  given  the  option  of 
closing  her  account  and  opening  a 
new  one.  Commendably,  moreover, 

1  was  put  in  touch  with  Bill  Wray, 


CIO  at  Citizens  Financial  Group,  to 
discuss  the  goof-up. 

Wray  certainly  didn’t  diminish  the 
seriousness  of  the  compromise,  but 
he  dismissed  the  notion  of  it  being  a 
resource  allocation  issue.  He  ex¬ 
plained  that  when  you  have  around 
5  million  checks  running  through 
electromechanical  sorters  nightly,  on 
very  rare  occasions  the  checks  might 
stick  together  and  be  stuffed  in  the 
wrong  envelope.  Wray  noted  that 
with  check  imaging,  there’s  virtually 
no  chance  for  this  to  happen,  and 
there’s  an  added  fraud-management 
benefit,  since  investigators  can  get 
immediate  access  to  check  images. 
Seems  to  me  that  going  the  imaging 
route  is  a  no-brainer. 

It  makes  me  wonder  why  Massa¬ 
chusetts  law  requires  customers  to 
opt  in  for  check  imaging,  while  all 
the  other  states  in  which  Citizens 
Bank  does  business  require  custom¬ 
ers  to  opt  out  if  they  want  to  contin¬ 
ue  receiving  their  canceled  paper 
checks  instead.  Given  that  Joan’s 
checks  could  easily  have  ended  up  in 
even  worse  hands  than  mine,  I’d  say 
this  is  a  case  when  opt-out  is  clearly 
the  superior  approach.  O  54470 
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VIRGINIA  ROBBINS 

Riding  the 
Wave  to  a 
Perfect  Day 

YOU’VE  HAD  one  of 
those  days.  No,  not 
one  of  those  days  that 
cause  you  to  wonder  why 
in  the  world  you  ever  chose 

mathematics  over  marketing  or  com¬ 
puter  science  over  cultural  anthropolo¬ 
gy'.  No,  it  was  one  of  those  days  when  it 
all  comes  together,  when  the  major  in¬ 
stallation  hits  and  —  deep  breath  — 
actually  works. 

On  days  like  this,  you  think  of  the 
people  on  your  team  who  made  this 
happen,  admiring  their  dedication  and 
persistence.  You  also  think  of  the  own¬ 
ers  of  the  project,  from  the  head  of 
marketing  to  the  part-time  customer 
service  rep,  who  ded¬ 
icated  time  and  re¬ 
sources  to  make  sure 
that  your  people  had 
a  solid  business  case 
and  good  require¬ 
ments.  You  even  re¬ 
member  back  to  the 
governance  meeting 
when  this  particular 
project  was  chosen. 

You  knew  then  that 
it  wasn’t  going  to  be 
easy  but  that  if  you 
could  get  it  done, 

you’d  make  the  com-  ’  . — 

pany  even  more  competitive.  You  knew 
it  was  going  to  be  a  great  project. 

And  then  along  came  another  great 
project.  It  was  also  critical  to  the  com¬ 
pany’s  success,  and  it  quickly  became 
clear  that  you  needed  to  do  both.  But 
that  was  OK,  you  Figured,  because  the 
first  project  should  be  over  months 
ahead  of  the  second. 

Then  stuff  began  to  happen.  A 
month  into  the  work,  you  felt  as  if  both 
projects  were  slipping  through  your 
fingers.  Doing  both  at  once  and  main¬ 
taining  normal  work  was  straining  the 
resources  of  the  rest  of  the  company. 
First,  the  business  requirements  came 
in  just  under  the  wire.  Then  the  ven¬ 
dors  made  offers  that  you  could  refuse, 
and  negotiations  with  legal  never 
seemed  to  quite  reach  an  end.  The  sec¬ 
ond  month  went  by,  and  then  the  third. 
Soon  it  became  apparent  that  both 
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projects  would  launch  in  the  same 
month.  The  team  started  talking  about 
a  perfect  storm.  You  kept  thinking 
about  the  movie  —  don’t  they  all  die  in 
the  movie?  It  could  indeed  be  a  perfect 
storm,  at  least  for  your  career. 

Then  early  code  releases  were  deliv¬ 
ered.  The  business  owners  started  to  get 
excited.  The  buzz  among  them  was  that 
this  was  going  to  be  a  killer  app.  Right 
then  in  the  meeting  you  started  think¬ 
ing,  Just  what  I  need  —  the  killer  app  in 
the  perfect  storm.  There  were  far  too 
many  references  to  death,  and  your  in¬ 
ward  chant  became  “Live,  project,  live!” 

But  that’s  when  the  team  started  to 
hit  its  groove.  Technical  issues  arose 
but  were  quickly  resolved.  Testing  con¬ 
tinued,  with  bugs  getting  worked  out 
faster  than  QA  could  keep  up  with 
their  documentation.  Early  soft  launch¬ 
es  for  both  projects  were  discussed 
and  approved.  The  soft  launches  hit, 
experienced  a  few  bumps  but  went  on. 

And  today,  when  you  launched,  it 
was  smooth  sailing.  No  perfect  storm, 
just  two  killer  apps  riding  the  waves. 

Now,  as  you’re  walking  down  the 
hallway  feeling  relieved,  you  glance  at 
your  BlackBerry  and  see  an  e-mail 
from  the  CFO.  Apparently  there  is  a 
concern  in  accounting. 

You  craft  your  polite  response  to  the 
CFO,  cc’ing  the  project  manager.  The 
project  manager  bolts  out  of  a  meeting, 
finds  you  and  tells  you  that  yes,  ac¬ 
counting  had  recently  expressed  some 
reservations,  but  it  had  signed  off  on 
the  process  a  month  ago.  The  project 
manager  and  the  CFO  straighten 
everything  out,  and  90  minutes  later 
there  are  no  more  concerns  in  ac¬ 
counting.  You  finally  breathe,  head 
back  to  the  hotel  and  call  home. 

It’s  been  a  great  day.  ©  54412 

DAVID  MOSCHELLA 

IT  at  the 
Front  ofYour 
Company 

HOW  MANY  TIMES 
over  the  past  year 
have  you  heard  some¬ 
one  proclaim  that  blogs,  par¬ 
ticularly  in  conjunction  with 
RSS,  are  the  next  big  thing? 

The  latest  and  loudest  of  these  as¬ 
sertions  came  from  Business  Week. 

The  cover  of  its  May  2  issue  screams 
in  giant  red  type  that  “blogs  will 


change  your  business.”  Af¬ 
ter  all,  they  brought  down 
Dan  Rather. 

Although  it’s  easy  enough 
to  deflate  some  of  this  hype, 
a  more  practical  exercise  is 
to  try  to  ask  what  blogs, 

RSS,  podcasts,  peer-to-peer 
and  the  whole  “smart  mob” 
movement  might  mean  to 
corporate  IT.  Perhaps  not 
surprisingly,  the  answer  is 
“It  depends,”  a  response 
that  isn’t  as  equivocal  as  it 
might  first  appear. 

Exaggerations  aside,  it’s 
true  that  the  explosion  in  blog  usage  is 
evidence  of  a  significant  new  IT  fron¬ 
tier.  For  many  years,  IT  was  primarily 
used  to  automate  the  flow  of  records, 
documents  and  communication  inside 
your  organization.  Then,  with  the 
Web’s  arrival,  direct  links  with  cus¬ 
tomers  and  suppliers  proliferated.  This 
latest  set  of  tools  and  services  has  the 
potential  to  capture  the  conversations, 
feelings  and  activity  of  your  actual 
marketplaces.  Essentially,  a  new  plat¬ 
form  is  emerging  at  the  very  front  of 
your  company. 

As  I  have  argued  several  times  in 
this  column,  the  task  of  IT  value  cre¬ 
ation  is  becoming  the  responsibility  of 
not  only  IT  suppliers  and  departments, 
but  also  customers  themselves.  Busi¬ 


ness  books  and  journals 
now  promote  concepts 
such  as  co-evolution,  co¬ 
creation,  customer  experi¬ 
ence  and  democratic  inno¬ 
vation.  That  speaks  to  a 
trend  that  feels  fuzzy  today 
but  will  likely  appear  obvi¬ 
ous  within  a  few  years. 
Successful  companies  will 
find  ways  to  harness  the 
energies  of  their  cus¬ 
tomers,  as  the  open-source 
movement  already  has. 

That  the  significance  of 
these  ideas  depends  upon 
the  business  you’re  in  is  nothing  new. 
Clearly,  industries  such  as  health  care, 
entertainment  and  automobiles  tend  to 
have  more-active  communities  of  cus¬ 
tomers  than,  say,  canned  foods.  But  it’s 
not  hard  to  imagine  that  within  a  few 
years,  forward-thinking  companies  in 
an  impressive  range  of  sectors  will 
have  real-time  systems  that  capture, 
map  and  respond  to  the  way  their 
products  and  services  are  being  used, 
evaluated  and  discussed.  Such  systems 
could  render  many  traditional  forms  of 
market  research  obsolete. 

And  for  corporate  IT,  that  is  the  rub. 
What  role,  if  any,  will  you  play  in  influ¬ 
encing  the  development  of  systems 
that  will  principally  serve  the  needs  of 
marketing,  product  development  and 


customer  service,  but  often  with  little 
direct  connection  to  the  back-end 
transaction  systems  managed  by  cor¬ 
porate  IT?  Just  as  marketing  typically 
controls  the  company  Web  site,  it  will 
also  take  the  lead  on  these  high-profile 
and  often  experimental  initiatives.  The 
question  is  whether  it  will  look  to  cor¬ 
porate  IT  for  help  or  decide  that  the 
expertise  it  needs  resides  elsewhere. 

One  of  the  misconceptions  regard¬ 
ing  the  use  of  outsourced  services  is 
that  they  are  best  suited  for  low-value, 
back-office  activity.  But  high-value  ser¬ 
vices  requiring  scarce  capabilities  can 
be  an  equally  attractive  option.  A 
whole  new  set  of  enhanced  search, 
business  intelligence  and  pattern- 
recognition  suppliers  is  emerging  that 
will  be  at  the  cutting  edge  of  front-of- 
the-company  technology  deployment. 

My  company’s  research  shows  that 
when  it  comes  to  the  IT  organization’s 
relationships  with  key  company  do¬ 
mains,  the  most  fractious  is  often  with 
marketing.  Whether  corporate  IT  will 
play  a  big  role  in  the  customer-driven 
world  of  the  future  will  largely  depend 
upon  whether  this  relationship  be¬ 
comes  more  closely  aligned.  ©  54405 


WANT  OUR  OPINION? 

OMore  columnists  and  links  to  archives  of 
previous  columns  are  on  our  Web  site: 

www.computerworld.com/columns 


READERS’  LETTERS 


Cohen  Is  Right: 
Visas  Are  Wrong 

THANK  YOU  for  doing  the  inter¬ 
view  with  Gerry  Cohen  [“Q&A: 
Information  Builders  CEO  Blasts 
Gates’  H-1B  Stand,”  QuickLink 
54143].  This  guy  is  an  American 
hero  for  sticking  to  his  guns  and 
bucking  the  popular  trends.  But 
most  of  all,  he  is  a  hero  for  being 
willing  to  stick  out  his  neck  and  tell 
the  IT  industry  that  H-1B  and  L-1 
visas  are  the  wrong  solution  for  this 
industry. 

Cohen  says  many  of  the  things 
that  the  members  of  Techsllnite  and 
ProgrammersGuild  have  been  say¬ 
ing  for  years  -  there  is  no  shortage 
of  workers,  and  the  more  that  indus¬ 
try  demands  the  importation  of 
cheap  labor,  the  worse  the  overall  IT 
industry  is  going  to  fare  in  the  U.S. 

Information  Builders,  which  Co¬ 
hen  built  from  the  ground  up,  is  one 
of  those  rare  companies  that  acts 
ethically  while  at  the  same  time  try¬ 
ing  to  derive  the  greatest  return  for 


its  stockholders.  In  the  past,  I  was  a 
customer  of  IBI.  It’s  becoming  clear 
to  me  that  it’s  the  kind  of  company 
that  I  want  to  be  a  customer  of  in 
the  future! 

Walt  Crosby 

Executive  vice  president, 
Terabase  Corp., 

Danvers,  Mass., 
walt@terabase.com 


Apple’s  Just  Another 
Closed  Monopoly . . . 

IN  HIS  letter  to  the  editor  about 
Microsoft  and  Linux,  Daniel  Reiss 
wrote,  “Better  yet,  switch  to  Apple. 
Better  hardware,  better  operating 
system,  better  use  of  open-source 
and  no  threat  of  litigation  from  SCO 
or  Microsoft”  [QuickLink  52909]. 

Whether  or  not  the  statements 
concerning  hardware  and  operating 
system  are  true,  there  is  a  major 
problem  with  this  advice.  Moving 
from  Microsoft  to  Apple  is  like  jump¬ 
ing  out  of  the  frying  pan  into  the  fire. 
You  have  only  traded  monopolies. 


You  have  gone  from  an  organization 
that  controls  the  operating  system 
and  software  to  one  that  controls 
the  hardware  and  operating  system. 
You  have  gone  from  one  straitjacket 
to  another.  You  may  be  better  off  for 
a  while,  but  eventually  you  will  be  in 
trouble  because  you  are  in  a  closed, 
controlled,  monopolistic  system. 
Currently,  the  only  viable  alternative 
is  Linux,  open  systems  and  a  variety 
of  hardware. 

George  Washburn 
Marion,  Ala. 


. . .  And  It  Charges 
Big  Bucks  for  'Cool’ 

I  WHOLEHEARTEDLY  AGREE 

with  Michael  Gartenberg’s  opin¬ 
ion  about  the  features  on  Apple’s 
new  Tiger  operating  system:  They 
are  cool  [“Apple  Takes  Major  Leap 
With  Tiger,”  QuickLink  53958], 
What  he  hasn’t  worked  out,  appar¬ 
ently,  is  that  corporate  America 
doesn’t  want  to  pay  for  cool. 

Apple  consistently  extracts 


more  money  from  your  pocket  than 
most  other  manufacturers,  and  it 
is  more  proprietary  than  Microsoft 
has  ever  been,  yet  it  still  wonders 
why  its  market  share  doesn’t  in¬ 
crease  by  leaps  and  bounds. 

I’m  sorry,  but  you  are  going  to 
have  to  convince  me  that  Apple  has 
shed  its  exclusivity  before  I  will  even 
get  interested  again. 

Bob  Sibson 
Enterprise  architect, 

Adelaide,  South  Australia 


C0MPUTERW0RLD  welcomes 
comments  from  its  readers.  Letters 
will  be  edited  for  brevity  and  ciarity 
They  should  be  addressed  to 
Jamie  Eckle,  letters  editor,  Com- 
puterworld,  P0  Box  9171, 1  Speen 
Street,  Framingham,  Mass.  01701. 
Fax:  (508)  879-4843.  E-mail: 
letters@computerworid.com. 
Include  an  address  and  phone 
number  for  immediate  verification. 


,  For  more  letters  on  these  and 


©  other  topics,  go  to 

www.comDuterworld.com/letters 
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DAVID  MOSCHELLA  is  the 

global  research  director 
at  the  Leading  Edge 
Forum,  a  Computer  Sci¬ 
ences  Corp.  company. 

Contact  him  at 
dmoscheHa@earthlink.net. 
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Microsoft 


‘We  conducted  stringent  testing  and  chose 
the  Microsoft ®  solution  for  its  unified  stack, 
which  saves  time  and  money  on  integration 
and  maintenance.  These  factors  combined 
to  give  the  Microsoft  stack  a  24  percent 
lower  total  cost  of  ownership  compared 
to  other  solutions." 

—  Randy  McCoy,  CTO, 
CheckFree  Corporation 


CheckFree  Corporation  powers  millions  of  financial  transactions  daily  for 
thousands  of  financial  institutions.  As  home  to  one  of  the  world's  largest 
databases,  they  needed  to  reduce  their  cost  per  transaction  while  maintaining 
performance  and  quality.  So  they  conducted  a  stringent  benchmark  test  of 
an  IBM  solution  stack  including  Red  Hat  Linux  9,  IBM  DB2,  and  J2EE  against 
a  Microsoft  solution  featuring  Windows  Server™  2003,  SQL  Server™2000, 
and  the  .NET  Framework.  Because  the  Microsoft  stack  delivered  14%  faster 
transaction  rates  and  24%  better  TCO,  CheckFree  chose  the  Windows®  platform 
for  the  next  generation  of  their  Investment  Services  platform. 

To  get  the  full  case  study,  other  case  studies,  and  other  third-party  findings, 

go  to  microsoft.com/getthefacts 
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Windows 
Server  System 


C  2005  Microsoft  Corporation.  All  rights  reserved.  Microsoft  Windows,  the  Windows  logo,  Windows  Server,  and  Windows  Server  System  are  either  registered  trademarks  or  trademarks  of 
Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 
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SDLT  600  Results 
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In  a  blind  taste  test,  the  SDLT  600  was  found  to  be  less  than  appetizing.  Test  subjects' 
comments  included,  “if  there  is  a  hell,  this  is  the  food.”  Scientists  have  agreed  to  conduct 
the  next  round  with  condiments.  As  for  data  backup  abilities,  it  passed  with  ease.  The 
SDLT  600  has  more  capacity  and  more  speed  than  LTO-2  and  AIT-3.  It  also  includes 
DLTSage™  diagnostic  management  software  and  DLT/ce™  archival  WORM  functionality. 
How  do  we  know?  It’s  been  tested.  For  more  info  and  to  see  the  whitepaper,  visit  DLTtape.com. 
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Rounding  Up 
Business  Rules 

Organizations  are  finding  that  business  rules 
engines  and  management  systems  can  automate 
enforcement  of  the  rules  necessary  to  make 
processes  run  smoothly.  IT  leaders  such  as 
Donna  Ramos-Johnson  explain  how.  Page  24 


SECURITY  MANAGER'S  JOURNAL 

Protecting  Consumer 
Data  on  tne  Cheap 

A  mandate  to  protect  personal  data  in  the 
state  agency’s  databases  isn’t  accompanied 
by  any  extra  funds,  so  C.J.  Kelly  has  to  come 
up  with  an  inexpensive  way  to  do  it.  Page  30 


FUTURE  WATCH 

Coming:  Sensors  and 
Pixels  Everywhere 

Accenture’s  Anatole  Gershman  discusses 
ongoing  work  on  intelligence  technol¬ 
ogies  that  are  aimed  at  connecting  IT  sys¬ 
tems  with  the  physical  world.  Page  34 


Vulnerability  management 
technology  allows 
companies  to  choose 
which  threats  are  most 
urgent  and  which  IT  assets 
take  priority  for  protection. 
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LLOYD  HESSION  has  a  simple  phi¬ 
losophy  for  dealing  with  vul¬ 
nerabilities  on  his  company’s 
network;  Know  which  ones 
have  to  be  fixed  right  away  and 
which  can  be  safely  put  off  for  later. 

The  sheer  number  of  vulnerabilities 
that  can  exist  on  a  network  make  it 
impossible  to  address  all  of  them  at 
the  same  time  without  serious  disrup¬ 
tion,  says  Hession,  chief  information 
security  officer  at  Radianz,  a  New 
York-based  provider  of  network  con¬ 
nectivity  services  to  financial  firms. 

So  the  key  is  to  have  a  formal  vul¬ 
nerability  management  process  to 
identify  problems,  categorize  them  by 
severity  and  prioritize  responses,  he 
explains. 

“It’s  all  about  arriving  at  some  sort 
of  a  risk  determination  and  figuring 
how  seriously  you  need  to  address  it,” 
he  says.  “The  days  of  people  running 
out  and  patching  everything  are  over.” 

Hession  isn’t  alone.  Finding  out 
what  to  protect  on  the  network  and 
how  much  protection  is  needed  is  sud¬ 
denly  becoming  a  lot  more  important 
to  companies  than  it  was  even  two 
years  ago,  says  Scott  Crawford,  an  ana¬ 
lyst  at  Enterprise  Management  Associ¬ 
ates  in  Boulder,  Colo. 

The  never-ending  barrage  of  soft¬ 
ware  vulnerability  announcements 
and  the  constant,  sometimes  compet¬ 
ing,  need  to  fix  them  is  pushing  com¬ 
panies  to  look  for  more  efficient  ways 
to  deal  with  the  problem,  he  says. 

Instead  of  rushing  to  apply  costly 
fixes  to  every  flaw  that’s  announced, 
the  goal  is  to  take  a  more  selective  ap¬ 
proach  by  prioritizing  threats,  adds 
Crawford. 

“Vulnerability  management  tools 
are  going  to  be  in  great  demand  where 
exposure  to  external  risk  is  high,” 
Crawford  says.  That’s  because  the 
tools  are  designed  to  impose  order  on 
a  process  that  has,  in  the  past,  simply 
been  urgently  reactive. 

There  are  several  components  to  a 
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THOUGH  COMPANIES  have  started 
adopting  formal  vulnerability  manage¬ 
ment  practices  only  fairly  recently, 
there  are  already  several  tools  and 
services  available  to  help  them  through 
the  process. 

Some  vendors,  such  as  Qualys  in 
Redwood  Shores,  Calif.,  Counterpane 
Internet  Security  Inc.  in  Mountain  View, 
Calif.,  and  Internet  Security  Systems 
(ISS)  in  Atlanta,  offer  vulnerability 
management  services  as  part  of  their 
managed  security  services  portfolio. 

Qualys,  for  instance,  offers  an  on- 
demand  service  called  QualysGuard  that 
uses  a  vulnerability  database  containing 
more  than  4,000  unique  tests  to  help 
companies  identify,  prioritize,  fix  and 
monitor  problems  on  their  networks. 


c-T:- 


that  companies  can  use  to  probe  net¬ 
work  assets  such  as  application 
servers,  databases,  firewalls  and  Web 
server  routers  and  switches  for  ex 
ploitable  flaws.  The  service  can  be  com¬ 
bined  with  ISS’s  managed  intrusion 
prevention  and  managed  firewall  ser¬ 
vice,  says  Dave  Ostrowski,  an  ISS  prod¬ 
uct  manager.  ISS  also  sells  a  hardware 
appliance  for  vulnerability  scanning 
Others,  such  as  Foundstone  Inc. 
which  was  acquired  by  Santa  Clara, 
Calif.-based  McAfee  Inc.,  and  San  Fran- 
cisco-based  nCircle  Network  Security 
Inc.,  offer  an  appliance-based  approach 
to  vulnerability  management.  The 


Foundstone  Enterprise  appliance  and 
nCircle’s  IP360  Vulnerability  Manage¬ 
ment  System  are  designed  to  let  com¬ 
panies  continuously  monitor  their  net¬ 
works  and  probe  all  discovered  hosts 
for  vulnerabilities. 

An  optional  Threat  Correiaticn  Mod¬ 
ule  allows  companies  to  create  a  nu¬ 
merical  risk  ranking  for  each  threat  by 
tying  events  -  such  as  the  emergence  of 
exploits  -  to  asset  and  vulnerability  in¬ 
formation,  says  George  Kurtz,  a  senior 
Wee  president  at  Foundstone. 

Another  vendor  in  this  market  is  Sky- 
box  Security.  The  company  sells  soft¬ 
ware  that  a  business  can  use  to  build  a 
virtual  model  of  its  entire  network,  in¬ 
cluding  vulnerabilities,  that  can  then 
be  used  to  simulate  a  variety  of  attack 
scenarios.  The  virtual  model  allows  ad¬ 
ministrators  to  understand  how  systems 
are  connected  to  one  another  in  a  net¬ 
work  and  to  do  what-if  and  business- 
impact  analysis  using  various  attack 
and  remediation  scenarios. 

The  goaf  is  to  give  companies  a  “surgi¬ 
cal  list  of  things  to  do”  to  address  network 
vulnerabilities  in  the  most  cost-effective 
fashion,  says  Ed  Cooper,  vice  president 
of  product  management  at  Skybox. 

-  Jaikumar  Vijayan 


vulnerability  management  process, 
users  say.  Fundamental  to  the  effort 
are  vulnerability  assessment  scans. 
They  help  companies  discover  net¬ 
work  assets  and  any  software  holes  or 
configuration  errors  that  might  exist 
in  them. 

Vulnerability  and  asset  classifica¬ 
tion,  as  well  as  risk  metrics,  are  needed 
to  help  companies  prioritize  responses 
to  the  threats. 

Mitigation  and  blocking  measures 
may  be  needed  to  deal  with  some 
threats  for  which  software  updates  or 
other  fixes  may  not  be  immediately 
available.  And  monitoring  and  mea¬ 
surement  processes  are  crucial  to  en¬ 
sure  that  fixes  and  changes  that  have 
been  made  remain  in  place. 

Detection  and  Remediation 

A  good  management  process  helps 
companies  identify  and  remediate 
the  network  vulnerabilities  that  really 
matter,  says  Derek  Milroy,  a  security 
architect  at  Career  Education  Corp. 
(CEO,  a  $1.73  billion  company  in 
Hoffman  Estates,  Ill.,  that  runs  post¬ 
secondary  education  programs. 

A  vulnerability  management  system 
allows  companies  to  collect  informa¬ 
tion  on  and  understand  various  threats 
to  corporate  networks,  and  it  shortens 
the  reaction  tune  needed  to  deal  with 


them,  he  says.  Also  important,  it  en¬ 
ables  IT  administrators  to  focus  their 
time  and  resources  on  only  the  prob¬ 
lems  that  need  fixing,  Milroy  says. 

“It  really  is  the  core  central  instru¬ 
mentation  that  enables  a  security  func¬ 
tion  to  operate  within  the  organiza¬ 
tion,”  says  Robert  Garigue,  chief  infor¬ 
mation  security  officer  at  the  Bank  of 
Montreal  in  Toronto. 

Radianz  has  adopted  several  mea¬ 
sures  for  managing  vulnerabilities  on 
its  networks  and  systems.  The  compa¬ 
ny  doesn’t  do  too  many  routine  vulner¬ 
ability  scans,  Hession  says.  But  when  it 
does,  it  looks  for  known  software  holes 
as  well  as  configuration  errors,  rogue 
machines  and  services  that  could  be 
exploited,  he  says. 

Radianz  has  also  classified  its  sys¬ 
tems  into  various  groups  depending  on 
their  importance  to  the  organization. 
Critical  financial  and  human  resources 
systems  and  those  belonging  to  senior 
executives,  for  instance,  get  fixed 
faster  than  those  that  aren’t  as  impor¬ 
tant.  Most  of  the  company’s  desktops 
have  host  firewalls  for  detecting  and 
blocking  intrusions  at  the  client  level. 

“This  way,  even  if  there  are  any  vul¬ 
nerabilities  on  those  systems,  they  are 
not  directly  exploitable  because  of 
the  fact  that  the  personal  firewalls 
are  blocking  it,”  Hession  explains. 


“It  buys  you  some  time  to  go  out  and 
patch  systems.” 

Asset  and  response  prioritization  is 
a  key  aspect  of  any  vulnerability  man¬ 
agement  strategy,  Milroy  says. 

Categorizing  Assets 

For  the  past  nine  months,  CEC  has 
been  using  an  on-demand  service  from 
Qualys  Inc.  to  perform  asset  discovery, 
asset  prioritization,  vulnerability  as¬ 
sessment  and  analysis  as  well  as  reme¬ 
diation. 

Like  many  other  companies,  CEC 
has  organized  its  network  assets  into 
multiple  security  categories.  It  rates 
those  categories  from  1  to  5  depending 
on  their  importance  to  enterprise  op¬ 
erations.  Data  center  servers  and  those 
running  crucial  databases  and  rev¬ 
enue-generating  applications,  for  in- 

HYou  need  to  have  a 
good  quantitative 
understanding  of  what 
the  tools  are  trying  to 
tell  you  before  you  go 
to  the  business  side  and 
ask  them  to  fix  things. 

ROBERT  GARIGUE,  CIS0.  BANK  OF  MONTREAL 


stance,  are  considered  Category  5, 
while  some  rarely  used  file  servers 
j  might  be  a  Category  1. 

Similarly,  vulnerabilities  are  color- 
coded  depending  on  their  severity, 
with  red  being  the  most  critical.  CEC 
runs  weekly  vulnerability  scans  of  its 
network  and  prioritizes  its  responses 
based  on  asset  importance  and  vulner¬ 
ability  severity. 

A  vulnerability  in  a  database  server 
that  can  be  remotely  exploited  or  for 
which  a  worm  already  exists  might  be 
assigned  a  Red  5  rating,  which  means 
that  it  needs  to  be  fixed  immediately, 
Milroy  says. 

In  some  cases,  a  serious  vulnerabili¬ 
ty  might  exist  in  a  critical  system  but 
there  may  be  no  immediate  threat  di¬ 
rected  against  it,  in  which  case  it  may 
be  better  to  do  a  more  planned  remedi¬ 
ation  rather  than  risk  the  disruption  of 
an  immediate  fix,  he  says. 

Realistic  Strategies 

CEC  largely  depends  on  vendor  classi¬ 
fications  to  determine  the  severity  of 
vulnerabilities,  but  it  also  uses  its  own 
internal  filters  and  analysis  to  deter¬ 
mine  whether  an  issue  is  really  critical. 

“I’m  trying  to  keep  it  realistic.  All 
you  really  care  for  are  the  Category  5 
vulnerabilities,”  Milroy  says.  “Can  you 
root  the  machine?  Can  it  get  hit  by  a 
worm?  Is  it  remotely  exploitable?” 

Key  to  a  good  vulnerability  manage¬ 
ment  strategy  is  an  understanding  of 
the  various  interdependencies  that  ex¬ 
ist  between  systems  on  your  network, 
says  Ed  Cooper,  vice  president  of  prod¬ 
uct  management  at  Skybox  Security 
Inc.,  a  Palo  Alto,  Calif. -based  vendor  of 
risk  management  software. 

Sometimes,  for  instance,  fixing  the 
problem  on  a  single  upstream  server 
or  router  may  be  all  that’s  needed  to 
mitigate  the  risk  posed  by  a  vulnerabil¬ 
ity  on  multiple  servers,  he  says. 

Knowing  precisely  which  holes  to 
close  on  which  server  or  workstation 
can  tremendously  reduce  response 
times  and  help  focus  effort  on  the  real 
threats,  Cooper  says. 

Skybox  offers  a  tool  that  allows  a 
■  company  to  build  virtual  models  of  its 
entire  network  that  it  can  use  to  simu¬ 
late  attacks  and  understand  the  poten¬ 
tial  consequences  of  vulnerabilities. 

Often,  the  risk  a  vulnerability  poses 
to  a  system  might  need  to  be  balanced  ' 
against  the  potential  business  disrup¬ 
tion  or  revenue  loss  that  might  result 
from  taking  the  system  down  to  fix  it, 
says  David  Giambruno,  director  of 
strategic  infrastructure  and  security 
at  Pitney  Bowes  Inc.,  a  $5  billion  mail 
and  document  management  firm 
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based  in  Stamford,  Conn. 

Software  patches  and  mitigation 
approaches  can  sometimes  interrupt 
needed  services  or  functions  on  core 
systems,  causing  problems  that  ripple 
throughout  the  business. 

In  such  cases,  it’s  a  good  idea  to  have 
an  “exceptions  management”  process 
under  which  some  sort  of  compensat¬ 
ing  controls  are  put  in  place.  It’s  also  a 
good  idea  to  make  business  owners 
aware  of  all  potential  risks  and  have 
them  sign  off  on  it,  Giambruno  says. 

The  complexity  of  modern  networks 
makes  it  vital  to  have  tools  for  auto¬ 
mating  the  discovery  and  remediation 
of  assets  and  vulnerabilities  at  the  net¬ 
work,  application  and  database  levels, 
Giambruno  says. 

For  example,  Pitney  Bowes  is  using  a 
service  from  McAfee  Inc.’s  Foundstone 
Inc.  business  to  scan  its  networks  for 
vulnerabilities  once  a  week. 

A  real-time  patch  and  configuration 
management  tool  from  BigFix  Inc.  in 
Emeryville,  Calif.,  helps  Pitney  Bowes 


PROTECTING  DIGITAL  ASSETS: 


10  Steps 

1.  POLICY.  Establish  processes, 
standards  and  guidelines. 

2.  INVENTORY.  Discover  all 
assets  across  the  network. 

3.  PRIORITIZE.  Assign  business 

value  to  assets. 

4.  VULNERABILITIES.  Determine 
vulnerabilities  on  assets. 

5.  THREATS.  View  potential  threats. 

6.  RISK.  Determine  the  risk  levels. 

7.  BLOCK.  Stop  intrusions 

in  real  time. 

8.  REMEDIATION.  Proactively 

fixvulnerabilties. 


9.  MEASURE.  Measure  impact 
of  security  decisions  and  actions. 


ons  and  actions. 


10.  COMPLIANCE.  Review  for 
policy  compliance. 


quickly  test  and  deploy  patches  across 
its  global  infrastructure  in  less  than  an 
hour  if  needed. 

A  database-scanning  tool  called 
AppDetective  from  Application  Secu¬ 
rity  Inc.  in  New  York  helps  Pitney 
Bowes  scan  for  and  discover  any 
vulnerabilties  that  might  exist  in 
the  database. 

Mandate  to  Act 

Vulnerability  management  tools  and 
practices  can  provide  a  lot  of  good  in¬ 
formation  about  the  risks  companies 
face,  but  they  raise  their  own  chal¬ 
lenges,  users  say. 

“Vulnerability  assessment  gives  you 
this  view  of  the  entire  organization. 
Then  you’ve  got  to  analyze  the  results 
and  ask  yourself,  ‘What  have  I  seen? 
What  does  it  mean,  and  who  is  respon¬ 
sible  for  fixing  it?’  ”  says  Garigue. 

“You  need  to  have  a  good  quantita¬ 
tive  understanding  of  what  the  tools 
are  trying  to  tell  you  before  you  go  to 
the  business  side  and  ask  them  to  fix 


things,”  Garigue  says.  “If  not,  you  are 
going  to  end  up  with  a  lot  of  cross 
talk.” 

Desktops  and  other  client  devices 
pose  big  security  risks,  but  scanning 
them  for  vulnerabilities  can  be  chal¬ 
lenging  because  they  are  so  portable, 
says  Amy  Hennings,  assistant  director 
of  information  security  at  George 
Washington  University  in  Washington. 

In  the  university’s  case,  it  made  per¬ 
sonal  firewalls  freely  available  to  desk¬ 
top  users  as  part  of  a  bid  to  improve 
security.  Ironically,  those  firewalls  are 
now  making  it  difficult  to  perform 
vulnerability  scans  on  the  systems, 
Hennings  says. 

“The  key  thing  to  remember  is  that 
IT  has  limited  resources,”  Radianz’s 
Hession  says.  “So  it’s  all  about  priori¬ 
tizing  and  acknowledging  that  there’ll 
always  be  some  trade-off  issues.” 

At  the  same  time,  though,  try  to  keep 
it  simple.  “You  don’t  want  to  make  it 
overly  complicated,”  Hession  says. 
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Do  you  know 
where  all  of 
your  compa¬ 
ny’s  business 
rules  are? 

Most  enterprise  users  are  surprised 
to  discover  how  many  important  — 
and  not-so-important  —  rules,  regula¬ 
tions,  policies  and  procedures  are  scat¬ 
tered  all  around  the  organization.  For 
example,  last  year’s  marketing  manual 
has  guidelines  for  creating  advertising 
campaigns;  equations  for  calculating 
employees’  health  and  retirement  ben¬ 
efits  are  embedded  in  Cobol  code;  and 
best  practices  for  writing  software 
code  reside  only  in  the  minds  of  senior 
developers,  since  no  one  has  been 
asked  to  write  them  down. 

In  older,  slower  eras,  this  diffusion 
of  policies  and  rules  wasn’t  such  a  big 
problem.  But  business  and  IT  execu¬ 
tives  find  themselves  under  greater 
pressure  than  ever  to  adapt  to  rapid 
changes  in  the  market  and  in  govern¬ 
ment  regulations  —  as  well  as  to  oper¬ 
ate  at  maximum  efficiency.  As  a  result, 
they  are  looking  to  round  up  these 
renegade  rules  and  put  them  someplace 
they  can  be  easily  accessed,  updated 
and  applied  to  business  processes.  To 
do  that,  they’re  turning  to  business 
rules  engines  —  execution  environ¬ 
ments  and  repositories  for  business 
rules  —  and  management  systems. 

CATCHING  ERRANT  CLAIMS 

A  case  in  point:  The  District  of  Colum¬ 
bia  provides  financial  assistance  to 
needy  residents,  some  of  whom  also 
qualify  for  Medicaid  or  other  federal 
programs.  Recently,  managers  working 
for  the  district  discovered  that  the  lo¬ 
cal  aid  program  was  often  getting  the 
bill  for  services  that  should  have  been 
covered  by  federal  programs.  If  an 
employee  failed  to  catch  such  errors, 
it  would  be  a  costly  misapplication  of 
the  rules. 

To  catch  more  of  the  bad  claims  and 
more  quickly  process  legitimate  ones, 
the  district  began  developing  its  Auto¬ 
mated  Client  Eligibility  Determination 
System.  The  new  system  relies  on 
ILOG  Inc.’s  ILOG  Rules  business  rules 
engine  to  determine  eligibility  for  D.C. 
and  federal  programs.  It  asks  appli¬ 
cants  a  series  of  questions  —  much 
like  a  TurboTax  automated  tax  pro¬ 
gram  does  —  and  then  prints  out  com- 
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pleted  applications  for  the  programs 
for  which  they  are  qualified. 

The  ILOG  engine,  which  is  accessi¬ 
ble  to  anyone  with  a  Web  browser,  has 
a  very  high  accuracy  rating  —  99%,  ac¬ 
cording  to  Donna  Ramos-Johnson,  as¬ 
sociate  director  at  Washington’s  Office 
of  the  Chief  Technology  Officer.  That 
delivers  better  performance  than  the 
legacy  system,  which  is  an  IBM  main¬ 
frame  running  an  Adabas/Natural 
database  that  was  used  internally 
for  claims  processing  and  financial 
transactions. 

Ramos-Johnson  says  more  federal 
programs  will  be  added  to  the  rules 
repository,  which  will  eventually  be 
used  by  the  legacy  system  as  well.  “We 
expect  to  have  the  major  federal  pro¬ 
grams  online  by  September,”  she  says. 

WHO  NEEDS  THEM 

Rules  engines  have  been  around  since 
the  early  1990s  when  companies  such 
as  Pegasystems  Inc.  in  Cambridge, 
Mass.,  Fair  Isaac  Corp.  in  Minneapolis 


and  ILOG  in  Mountain  View,  Calif., 
sold  them.  They  were  typically  used  in 
rules-heavy  industries  such  as  finance 
and  insurance.  Over  the  past  few 
years,  however,  many  vendors  have 
entered  the  market,  and  more  compa¬ 
nies  are  looking  at  rules  engines  as  a 
way  to  gain  greater  flexibility  in  busi¬ 
ness  operations. 

“What’s  driving  new  interest  in 
business  rules  is  the  need  for  business 
agility,”  says  David  Kelly,  president  of 
Upside  Research  Inc.  in  Newton,  Mass. 
“Companies  need  to  be  able  to  create 
applications  and  business  processes 
that  can  adapt  rapidly  to  marketplace 
demands.” 

Rules  engines  provide  this  kind  of 
flexibility  by  making  it  possible  to  edit 
the  steps,  or  rules,  of  a  business  proc¬ 
ess.  Traditionally,  those  steps  have 
been  coded  into  the  application.  But 
with  a  rules  engine,  they  can  be  writ¬ 
ten  in  a  natural-language  authoring 
language  and  stored  separately  in  a 
managed  repository.  Applications  are 


GOOD 


A  BUSINESS  RULES  ENGINE  is  only  as 
good  as  what’s  in  it.  And  the  first  step  of 
any  business  rules  project  should  be  to 
identify  all  of  the  rules  in  your  organiza¬ 
tion,  according  to  Ladd  Bethune,  senior 
technical  consultant  at  Lambert  Technical 
Services  LLC  in  Lebanon,  Conn. 

Once  you’ve  identified  and  extracted 
your  existing  rules,  and  before  you 
transfer  them  into  a  business  rules  en¬ 
gine,  you  need  to  evaluate  the  quality  of 
the  rules,  says  Bethune.  They  may  need 
to  be  edited  or  rewritten  in  order  to  make 
them  sustainable  for  the  long  term. 

According  to  Bethune.  sustainable 
business  rules  have  at  least  12  character¬ 
istics.  They  should  be  adaptable,  audit- 
able,  easily  implemented,  extensible, 
manageable,  queryable,  reusable,  secur- 
able,  testable,  traceable,  understandable 
andverifiable.  -SwHildretli 


then  instructed  to  access  the  rules  en¬ 
gine,  and  the  rules  themselves  can  be 
updated  quickly  by  semitechnical 
users  rather  than  programmers. 

Also,  notes  Kelly,  business  rules  sys¬ 
tems  can  help  companies  prove  com¬ 
pliance  with  government  regulations 
by  providing  an  audit  trail  of  proce¬ 
dures  and  changes  to  those  procedures. 

LIVING  WITH  LEGACY  APPS 

Legacy  applications  are  one  major  rea¬ 
son  organizations  are  turning  to  rules 
engines.  When  companies  have  many 
rules  embedded  in  legacy  code,  mov¬ 
ing  them  to  a  rules  engine  enables 
users  to  make  changes  without  having 
to  constantly  rewrite  code. 

Sterling,  Va.-based  First  American 
Field  Services,  which  provides  proper¬ 
ty  inspection  and  maintenance  ser¬ 
vices  to  banks,  turned  to  rules  manage¬ 
ment  after  it  reached  an  impasse  with 
its  legacy  system. 

“It  was  so  spider-webbed,  there  was 
custom  code  for  each  of  our  clients, 
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and  it  was  just  so  difficult  to  change,” 
says  Mark  Davis,  development  manag¬ 
er  for  MIS  at  First  American. 

Three  years  ago,  First  American  be¬ 
gan  developing  a  property  inspection 
and  maintenance  system  using  Fair 
Isaac’s  Blaze  Advisor  rules  engine. 
That  application  is  linked  to  a  DB2 
database  and  Visual  Basic  .Net  work- 
flow  engines  that  consult  the  rules  en¬ 
gine  to  determine  a  course  of  action, 
such  as  what  service  to  order.  Rules 
are  edited  via  an  English-based  author¬ 
ing  language  and  Fair  Isaac’s  Visual 
Ruleflow  Editor,  with  drag-and-drop 
icons  for  graphically  creating  business 
processes. 


Michael  Barnes,  vice  president 
of  technology  research  ser¬ 
vices  at  Gartner  Inc.,  says 

typically  have  the 
following  features: 


Guidelines  for  identifying 
and  documenting  rules 

A  graphical  user  interface 
for  authoring  and  editing 
the  rules 

Visualization  of  the  process 
flows  created  by  multiple 
rules 

Rule  testing  and  debugging 

Integration  with  other 
development  applications 

Rules-mining  capability 
to  harvest  rules  from 
legacy  systems 


A  rules  repository 

Support  for  role-based 

access  by  different  users 

...  - 

"  Reporting  and  querying 
capabilities 

>  Support  for  versioning 

Rule  consistency  checks 
to  ensure  accuracy  and 
enable  rules  reuse 


“It’s  very  easy  to  make  changes 
now,”  says  Davis. 

Brian  Stucky,  the  “enterprise  rule 
steward”  at  New  York-based  Freddie 
Mac,  also  credits  business  rules  man¬ 
agement  with  simplifying  the  process 
of  changing  rules.  Managing  policies 
became  much  easier  after  the  federally 
chartered  mortgage  lender  replaced  a 
legacy  system  with  an  application  tied 
to  an  ILOG  JRules  engine. 

“We  have  a  huge  number  of  business 
rules.  Before,  to  make  a  change,  we’d 
have  to  get  a  mainframe  guy  to  find  the 
rule,  make  the  change,  retest  the  sys¬ 
tem,  put  it  back  into  service,”  Stucky 
says.  “It  was  such  a  lengthy  procedure 
that  we  often  waited  until  we  had  sev¬ 
eral  changes  to  make.  Now  we  can  sup¬ 
port  rapid  change  in  rules  as  needed.” 

Other  companies  are  also  using  rules 
engines  to  improve  operating  efficien¬ 
cy.  AMR  Inc.,  a  national  medical  trans¬ 
portation  company  in  Greenwood  Vil¬ 
lage,  Colo.,  uses  a  rules  engine  to  man¬ 
age  its  fleet  of  vehicles  more  cost- 
effectively. 

“Before,  if  someone  needed  trans¬ 
port  to  get  an  X-ray,  we  might  send  out 
the  most  expensive  rig  —  an  advanced 
life-support  system  —  and  transport 
them  to  the  hospital  at  a  high  cost,” 
explains  Mark  Kalevik,  a  software  en¬ 
gineering  manager  at  AMR.  Now  the 
company  relies  on  CleverPath  Aion 
Business  Rules  Expert  from  Computer 
Associates  International  Inc.  to  deter¬ 
mine  which  type  of  vehicle  to  autho¬ 
rize  and  how  quickly  it  must  respond. 

DRIVEN  BY  BPM  AND  SOA 

Interest  in  business  process  manage¬ 
ment  (BPM)  is  also  driving  interest  in 
business  rules. 

“Business  rules  engines 
are  becoming  an  important 
part  of  other  solutions,  such 
as  business  process  manage¬ 
ment,”  says  Kelly,  noting 
that  it’s  common  for  BPM 
vendors  to  partner  with 
rules  engine  providers. 

Another  complementary 
trend  is  the  increasing  use  of 
Web  services  and  service- 
oriented  architectures.  When  building 
an  SOA  framework,  organizations  are 
adding  a  business  rules  layer  to  go 
along  with  the  business  logic,  work- 
flow  and  data  layers. 

Chicago-based  Promissor  Inc.,  a 
provider  of  educational  testing  and 
licensing  services,  is  developing  just 
such  an  SOA.  The  company  created 
a  registration  system  that  could  be 
used  remotely  by  on-site  registrars 
with  laptops  or  handheld  devices  for 


Ad  vise  or  Control 


James  Sinur,  an  analyst  at  Gartner 
Inc.,  explains  that  rules  engines  are 
used  either  to  control  transactions  and 
processes  or  to  provide  advice  and 
analysis. 

‘‘About  50%  of  business  rules  en¬ 
gines  are  used  in  an  advisory  role: 
‘Should  I  do  this  or  that?’  The  other 
50%  are  used  in  business  processes,” 
he  says. 

According  to  Sinur,  there  are  three 
categories  of  rules  systems. 

1.  SIMPLE  RULES  EXTERNALIZATION. 

This  system  allows  an  organization  to 
express  its  rules  in  a  standard  format, 
house  them  in  a  reoositorv.  view  them  in 


decision  trees  or  tables,  and  edit  them 
as  needed. 

2.  INFERENCE  ENGINE.  If  the  questions 
you  need  to  put  to  a  rules  engine  tend  to 
be  more  sophisticated  than  simple  "yes” 
or  “no”  equations,  then  you  may  need 
an  inference  engine,  which  uses  proba¬ 
bilities  and  backward  chaining  through 
the  rules  to  discover  multiple  possible 
solutions  to  the  same  end. 

3.  BEHAVIORAL  LEARNING.  These  ad¬ 
vanced  systems  use  case-based  rea¬ 
soning  and  are  “trained”  to  recognize  a 
variety  of  scenarios. 

-  Sue  Hildreth 


VENDORS  AND 
PRODUCTS 

For  a  list  of  rules  engines  and 
business  rules  management 
systems  vendors,  visit 
our  Web  site: 
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screening  and  registering  test  appli¬ 
cants.  To  make  the  system  more  acces¬ 
sible  by  handhelds  in  remote  locations, 
Promissor  built  the  application  using 
Web  services. 

“We’ve  rearchitected,  with  the  rules 
engine  as  the  cornerstone,”  says  Robert 
Crouch,  vice  president  of  IT  at  Promis¬ 
sor.  The  company  selected  Sewickley, 
Pa.-based  Haley  Systems  Inc.’s  Haley- 
Rules  engine  and  Haley  Authority 
rules-authoring  tool  to  create  and 
manage  the  registration  rules.  “The 
Haley  engine  is  light  enough  to  load  on 
a  PDA,  so  we  do  not  need  Internet 
connectivity  to  operate,”  Crouch  says. 

Promissor  preferred  Haley’s  natural- 
language  interface,  which 
enabled  business  users  to 
easily  edit  rules.  It  also 
liked  Haley’s  small  foot¬ 
print,  says  Crouch. 

Options  for  viewing  and 
editing  rules  can  be  impor¬ 
tant.  Users  may  want  to 
work  with  rules  via  a  deci¬ 
sion  table,  a  decision  tree 
or  some  other  format  that 
they’re  familiar  with. 

Cesar  Gomez,  manager  of  systems 
operations  and  application  develop¬ 
ment  at  Horizon  Casualty  Services 
in  Newark,  N.J.,  especially  likes  the  vi¬ 
sual  features  of  the  RulesPower  prod¬ 
uct  from  RulesPower  Inc.  in  Burling¬ 
ton,  Mass.,  which  Horizon  installed  as 
part  of  a  new  bill-processing  program 
last  year. 

“What  impressed  us  was  the  visual 
diagramming  of  the  workflows,”  Gomez 


says.  “It’s  like  an  interactive  Visio 
screen.  It  gave  the  business  people  the 
ability  to  visualize  how  the  business 
rules  flowed  within  the  program.” 

Horizon’s  RulesPower-based  bill¬ 
processing  application  has  enabled  the 
firm  to  reassign  three  of  its  six  bill 
processors  to  handling  exceptions  — 
nonstandard  claims  that  require  hu¬ 
man  scrutiny  —  and  to  substantially 
reduce  its  backlog  of  claims.  The  use 
of  a  rules  engine  has  even  cut  the  cost 
of  processing  a  claim  by  30%,  accord¬ 
ing  to  Gomez. 

USER-FRIENDLINESS 

What  matters  in  a  rules  management 
system,  says  Barnes,  isn’t  the  list  of  fea¬ 
tures;  it’s  how  user-friendly  it  is  to 
nontechnical  people.  Most  organiza¬ 
tions  buying  rules  engines  today  want 
their  business  managers  to  be  able  to 
create  and  edit  their  own  rules. 

“The  real  differences,  and  the  real 
areas  for  improvement,  have  to  do  with 
usability,”  says  Barnes.  He  suggests 
that  businesses  begin  by  evaluating 
how  easy  it  is  for  users  to  formulate 
business  rules  with  the  product. 

“The  value  proposition  of  a  rules  en¬ 
gine  is  the  ability  to  manage  business 
rules,  and  those  rules  should  be  de¬ 
fined  by  business  people,”  Barnes  says. 
“Unfortunately,  many  products  are  still 
too  immature  and  too  technical  at  this 
point.”  O  54280 

Hildreth  is  a  freelance  writer  in 
Waltham,  Mass.  She  can  be  reached 
at  Sue.Hildreth@comcast.net. 
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CIO  Discusses  IT  Methods  for  Mergers 


BY  ROBERT  L.  MITCHELL 

Ed  Kamins,  CIO  of  $10  billion 
computer  systems  distributor 
Avnet  Inc.  in  Phoenix,  recently 
spoke  to  Compterworld  about 
the  challenges  posed  by  multi¬ 
ple  mergers  and  massive  IT 
consolidation  projects. 

You’re  restructuring  your  IT  infra¬ 
structure.  Can  you  give  examples 
of  what  you’re  doing?  We  had 

nine  ERP  systems  in  various 
places  around  the  world.  To¬ 
day,  we  are  fundamentally 
down  to  four  and  continuing 
to  consolidate.  By  the  first  of 
the  fiscal  year  [in  July],  we 
will  be  entirely  on  SAP  in  Asia. 

Why  did  you  have  so  many  ERP 
systems?  When  you  make  45 
acquisitions  and  you  have  far- 


flung  enterprises  across  the 
world,  you  have  brought  with 
those  acquisitions  some  very 
talented  and  capable  people 
and  the  systems  they  worked 
on.  It’s  probably  not  prudent 
to  start  by  wiping  everything 
out.  But  over  time,  there’s  a  re¬ 
lentless  pressure  [to  improve 
profit  margins].  Part  of  the  so¬ 
lution  is  more  and  more  effi¬ 
cient  operations. 

What  hardware  and  soft¬ 
ware  defines  your  IT  infra¬ 
structure?  IBM  and  HP 

are  the  backbone  of 
what  we  do.  On  the 
software  side,  we  had 
implemented  SAP  in 
Europe.  We  got  in  very, 
very  early,  so  it  was  a 
very  steep  learning 


curve  and  development  proc¬ 
ess  for  us.  That  curve  has 
smoothed  itself  out  quite  nice¬ 
ly  now  so  that  we’re  deploying 
SAP  in  Asia.  We  have  a  home¬ 
grown  system  here  in  the  U.S., 
and  there  is  part  of  Europe 
that  has  a  homegrown  system. 

We  use  SAP  for  finance,  for 
example;  we  use  the  SAP  HR 
module.  We’re  using  their 
global  trading  system  for  ex¬ 
port  compliance.  Our 
architecture  allows  us 
to  bring  in  the  best  in  a 
category  and  marry  it 
up  with  the  rest  of  the 
applications. 

What  major  projects  have 
you  worked  on?  We  had 

about  750  servers  [when 
I  arrived].  The  average 


utilization  of  those  was  some¬ 
where  between  10%  and  15%. 
We  did  a  server  consolidation, 
and  today  we  have  about  half 
as  many  servers  that  are  far 
more  efficiently  utilized. 

What  technologies  did  you  use  to 
do  that?  It’s  an  evolving  proc¬ 
ess.  We  had  enough  servers. 
The  connectivity  of  those 
servers  is  something  we  tried 
to  be  smart  about.  But  there  is 
a  whole  series  of  steps  going 
forward  that  will  get  us  to  a 
true  shared-service  kind  of  en¬ 
vironment.  I’m  very  interested 
in  the  grid  concept. 

Step  1  was  to  reduce  the 
number  of  servers,  put  more 
applications  on  a  box.  Step  2  is 
optimizing  the  boxes  to  make 
sure  we  don’t  have  vulnerabil¬ 
ity  points.  Step  3,  which  is  yet 
to  come,  is  something  that  will 
look  like  a  grid  of  systems  in 


which  multiple  systems  could 
pick  up  the  slack  when  one 
system  fails  or  is  overloaded. 

Are  there  other  initiatives  besides 
grid  that  you're  excited  about?  I 

think  that  that  which  makes  it 
simpler  for  the  user  makes  it 
more  productive  for  every¬ 
body.  I  want  an  environment 
where  everything  that  faces 
the  user  is  Web-like  and  intu¬ 
itive.  I  just  got  back  from  a 
seminar  [that]  IBM  put  on, 
and  I  heard  a  lot  about  blogs. 
What  I  was  interested  in  was 
the  communication  methodol¬ 
ogy  using  the  Internet  and 
how  that  applies  internally  in 
the  business.  ©  54448 


KAMINS  CONTINUES 

To  read  more  of  this  interview, 
visit  our  Web  site: 

QuickLink  54505 
www.computerworld.com 


and  then  it  hits  you:// 

RIGHT  NOW  YOUR  COMPETITORS 
ARE  DISCOVERING  LINUX, TOO. 

Novell 

find  out  more  at  novell.com 


©2005  Novell,  Inc.  All  rights  reserved  Novell  is  a  registered  trademark  of  Novell,  Inc.  in  the  United  States  and  other  countries. 


IBM  eServer  xSeries 


PAY  MORE  ATTENTION  TO  SERVERS 
BEFORE  YOU  BUY  THEM. 

SO  YOU  CAN  PAY  LESS  ATTENTION 


Affordable,  reliable,  easy  to 


manage:  eServer®  xSeries®  with  Intel®  Xeon™  Processors 
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Flexible  and  easy  to  use 


I8M  eServer  BladeCenter  HS20  Express 


Designed  to  improve 
performance  and  availability, 
with  a  range  of  features 
such  as  redundant  hot-swap 
power  and  cooling. 

System  features 

Up  to  two  Intel  Xeon 
Processors  3.60GHz 
Two-way  tower  with 
rack  capability 
Up  to  9  hot-swappable 
SCSI  hard  disk  drives 
IBM  Director 

Limited  warranty:  up  to  3 
years  on-site3 

From  $2,989* 

IBM  Financing  Advantage 

Only  $82  per  month4 


Help  maximize  performance 
and  improve  availability  in  a 
rack  dense  environment  with 
Xtended  Design  Architecture.™ 
Includes  features  like  Calibrated 
Vectored  Cooling,  an  IBM 
innovation  that  helps  to  keep 
your  system  cool  and  improve 
uptime. 

System  features 

Up  to  two  Intel  Xeon 
Processors  3.60GHz 
Two-way  2U  rack  server 
Up  to  16GB  DDR2  memory 
using  8  DIMM  slots 

Calibrated  Vectored  Cooling 
IBM  Director 
Limited  warranty:  up  to  3 
years  on-site3 

From  $3,999* 

IBM  Financing  Advantage 

Only  $109  per  month4 


With  the  power  of  3rd  generation 
Enterprise  X-Architecture,™  it  sets  £Q 
a  new  standard  for  4-socket, 

64-bit  servers.  Delivers  increased 
performance,  systems  manage¬ 
ability,  and  simultaneous  support 
for  32  and  64-bit  apps. 

System  features 

Up  to  four  64-bit  Intel  Xeon 
Processors  MP  3.66GHz 
64GB  DDR  memory 
2GB  memory  expandable 
to  64GB 

Six  64-bit  Active  PCI-X  2.0 
IBM  Director 

Calibrated  Vectored  Cooling 
Limited  warranty:  up  to  3  years 
on-site3 

From  $13,779* 

IBM  Financing  Advantage 

Only  $379  per  month4 


Designed  to  support  the  Intel 
Xeon  Processor  and  packed 
with  high-availability  features, 
the  eServer  BladeCenter 
HS20  with  industry-leading 
modular  design  delivers  density 
without  sacrificing  processor 
performance. 

System  features 

Up  to  two  Intel  Xeon 

Processors  3.60GHz _ 

Up  to  14  blades  per  chassis 
Supports  both  32 

and  64-bit  applications 
IBM  Director 

Limited  warranty:  up  to  3 
years  on-site3 

From  $2,589* 

IBM  Financing  Advantage 

Only  $71  per  month4 


IBM  TotalStorage® 


Simplify  storage  management  to  improve  productivity 


IBM  TotalStorage  DS300  Express 


System  features 


Entry-level,  cost-effective  SCSI  storage  systems 
designed  to  deliver  advanced  functionality  at  a 
breakthrough  price.  Provides  an  exceptional 
solution  for  work  group  storage  applications,  such 
as  e-mail,  file,  print,  database  and  Intel  Xeon 
Processor-based  servers. 


3U  rack-mount  entry  level 
Support  for  up  to  14 

Ultra320  SCSI  disk  drives 
Starts  at  584GB  /  Scales  to  4.2TB 

From  $5,355* 


Simultaneous  support  of 
heterogeneous  operating 
system  environments  for 
xSeries  and  BladeCenter 

Limited  warranty:  1  year 
on-site3 

IBM  Financing  Advantage 

Only  $147  per  month1 


l 


> 


‘All  prices  stated  are  IBM's  estimated  retail  selling  prices  as  ot  May  3,  2005.  Prices  may  vary  according  to  configuration.  Resellers  set  their  own  prices,  so  reseller  prices  to  end  users  may 
vary  Products  are  subject  to  availability  This  document  was  developed  for  offerings  in  the  United  States  IBM  may  not  offer  the  products,  features,  or  services  discussed  in  this  document  in 
other  countries  IBM  Director  is  not  available  on  TotalStorage  systems.  ?IBM  Director  must  be  installed  Telephone  support  may  be  subject  to  additional  charges.  For  on-site  labor  IBM  will 
attempt  to  diagnose  and  resolve  the  problem  remotely  before  sending  a  technician  "IBM  Global  Financing  terms  and  conditions  and  other  restrictions  may  apply.  Monthly  payment  provided 


TO  THEM  AFTER. 


With  IBM®  Express  Servers  and  Storage™ 
designed  for  mid-sized  businesses,  help  is  here. 

You’ve  already  got  a  zillion  things  that  require  your 
attention -you  shouldn’t  have  to  worry  about  your  systems. 
That’s  why  IBM  Express  products  offer  enhanced  reliability, 
which  helps  them  do  their  job  so  you  can  focus  on  yours. 

Take  IBM  Director,  for  example.1  It  proactively  notifies  you 
of  a  potential  problem -up  to  48  hours  in  advance.  Or  our 
Calibrated  Vectored  Cooling  feature  available  on  select 
xSeries  systems.  It  cools  your  system  more  efficiently. 
This  means  more  features  can  be  packed  into  a  smaller 
server.  Giving  you  more  functionality  and  greater  flexibility. 

It’s  just  an  example  of  our  self-managing  features  that  help 
you  take  back  control  of  your  IT.  Which  can  help  lower 
your  maintenance  costs,  too.  Because  with  IBM  Express 
Servers  and  Storage,  innovation  comes  standard.  It's  not 
optional.  Plain  and  simple,  it’s  built  in.2 

There’s  also  one  more  great  feature -your  IBM  Business 
Partner.  Which  means  you  can  have  a  one-to-one  chat 
with  someone  who  understands  your  industry  and  your 
business -and  who’s  located  in  your  neck  of  the  woods. 
And  for  mid-sized  businesses,  that’s  really  big  help  in  a 
really  big  way. 
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HELP  FOR  ANY  SIZE  PROBLEM 


IBM  TotalStorage  DS400  Express 

With  advanced  functionality,  the  DS400  provides 
an  exceptional  solution  for  work  group  storage 
applications.  It  supports  Intel  Xeon  Processor- 
based  servers  and  offers  Fibre  Channel  drives 
designed  for  high  performance,  and  hot-swap 
Ultra320  SCSI  drives  designed  for  high  reliability. 


System  features 

2GB  Fibre  Channel  storage 
systems  area  network  (SAN) 

3U  rack-mount  entry  level 
Starts  at  584GB  /  Scales  to  5.8TB 

From  $8,495* 


Simultaneous  support  of 
heterogeneous  operating 
system  environments  for 
xSeries  and  BladeCenter 
Limited  warranty:  1  year  on-site3 


IBM  Financing  Advantage 

Only  $234  per  month" 


is  for  planninq  purposes  only  and  may  vary  based  on  customer  credit  and  other  factors  Rates  and  offerings  are  subject  to  change,  extension,  or  withdrawal  without  notice  IBM,  eServer. 
BladeCenter.  xSeries.  TotalStorage,  IBM  Express  Servers  and  Storage.  Enterprise  X-Architecture  and  Xtended  Design  Architecture  are  trademarks  or  registered  trademarks  ctf  International 
Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  Intel.  Intel  Inside,  the  Intel  Inside  logo,  and  Intel  Xeon  are  trademarks  or  r®9'^®^eJ^lrf^ernarKS  nAl® 
its  subsidiaries  in  the  United  States  and  other  countries.  Other  company,  product,  and  service  names  may  be  trademarks  or  service  marks  of  others  ^  2005  IBM  Corporation  All  rights  reserved 
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Protecting  Consumer 
Data  on  the  Cheap 


A  mandate  to  protect  individuals’  personal 
data  in  the  agency’s  databases  isn’t  accom¬ 
panied  by  any  extra  funds.  By  C. J.  Kelly 


IN  MY  LAST  COLUMN 

[QuickLink  53861],  I  dis¬ 
cussed  how  I  was  called 
upon  to  do  a  fiscal-impact 
analysis  of  a  privacy  bill  that 
was  going  before  our  state  leg¬ 
islature.  The  bill  is  expected 
to  pass  soon  and  become  law. 
And  when  that  happens,  state 
agencies  like  the  one  I  work 
in,  as  well  as  private  business¬ 
es,  will  be  held  accountable 

for  any  disclosures  of  - 

individuals’  personal 
information. 

Despite  my  conclu¬ 
sion  that  complying 
with  this  law  would 
require  several  hun¬ 
dred  thousand  dollars 
for  just  my  agency,  we  and 
other  state  agencies  might  not 
receive  any  additional  funds  to 
comply  with  the  mandate.  So 
how  do  I  go  about  protecting 
all  the  personal  information 
that  resides  in  our  databases 
and  servers  and  traverses  our 
network? 

No  single  hardware  device 
or  software  application  will  be 
adequate.  My  best  option  is  to 
use  open-source  tools  and  ex¬ 
isting  hardware  to  configure 
and  install  an  intrusion-detec¬ 
tion  system.  The  IDS  will  let 
us  monitor  network  intrusions 
and  attacks  and  investigate  the 
possibility  of  data  such  as  So¬ 
cial  Security  numbers  leaving 
or  traversing  our  network  in 
plain  text.  At  least  it’s  a  start. 

DcHt-Herself 

In  all  my  previous,  private- 
sector  jobs,  I  managed  the 
people  who  configured  and  in¬ 
stalled  such  systems.  Although 
I  have  analyzed  the  data  from 
these  systems,  correlated  the 
information  with  output  from 
other  sources,  given  direction 
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to  staff  and  approved  plans  re¬ 
lated  to  the  placement  of  net¬ 
work  taps,  network  monitor¬ 
ing  appliances,  firewalls,  VPN 
concentrators  and  other  secu¬ 
rity  devices,  I  have  never  built 
such  a  device  with  my  bare 
hands  and  put  it  into  produc¬ 
tion.  I  am  unaware  of  anyone 
within  the  state  system  who 
has  walked  down  this  path  be¬ 
fore.  But  that  could  be  a  case 

-  of  the  right  hand  not 

knowing  what  the 
left  hand  is  doing; 
state  agencies  are 
fairly  autonomous, 
and  while  efforts  are 
currently  under  way 
to  improve  collabo¬ 
ration  and  the  pooling  of  tal¬ 
ent  in  the  security  arena,  there 
doesn’t  appear  to  be  a  strate¬ 
gic  plan.  So  people  like  me 
just  muddle  along,  trying  to  do 
the  right  thing. 

I’m  a  bit  hesitant.  Can  I  do 
this?  To  master  the  software  I 
have  selected  —  Red  Hat  Inc.’s 
Fedora  Core  3,  Snort,  MySQL 
and  BASE,  as  well  as  Apache, 
SSL  and  PHP  —  I  will  have  to 
rely  on  my  little-used  *nix 
(Unix  and  Linux)  skills,  as 
well  as  white  papers  and  how¬ 
to  articles  written  by  those 
much  more  experienced  than 
me  in  the  nuts  and  bolts  of  all 
this.  I  can  also  consult  news- 
groups  and  call  on  many 


I  have  never  built 
such  a  device  with 
my  bare  hands  and 
put  it  into  production. 


friends  and  colleagues.  And  I 
know  that  help  will  be  readily 
available  from  the  open- 
source  community,  perhaps 
the  most  collaborative  group 
of  people  on  the  planet. 

For  those  of  you  unfamiliar 
with  these  particular  pieces 
of  software,  here’s  a  short 
primer:  Fedora  Core  3  is  Red 
Hat’s  free  distribution  of  Lin¬ 
ux.  Snort  can  be  described  as  a 
lightweight  network  IDS  capa¬ 
ble  of  performing  real-time 
traffic  analysis  and  packet  log¬ 
ging  for  IP  networks.  (“Real¬ 
time  traffic  analysis”  is  a  bit  of 
a  misnomer.  The  type  of  IDS 
I  intend  to  build  is  a  passive 
system;  it  will  watch  network 
traffic  and  be  able  to  send 
alerts  when  rules  are  violated, 
but  it  will  depend  on  a  human 
being  to  watch  for  the  alerts 
and  react  accordingly.  In  con¬ 
trast,  an  intrusion-prevention 
system  sits  in-line  and  either 
passes  or  denies  traffic  based 
on  a  configurable  rule  set.) 

Snort  can  also  perform  pro¬ 
tocol  analysis  and  content 
searching/matching,  and  it 
can  be  used  to  detect  a  variety 
of  attacks  and  probes,  such 
as  buffer  overflows,  stealth 
port  scans,  Common  Gateway 
Interface  attacks,  Server  Mes¬ 
sage  Block  probes  and  operat¬ 
ing  system  fingerprinting  at¬ 
tempts.  It  uses  a  rules-based 
language  to  describe  the  traf¬ 
fic  that  it  should  be  collecting, 
and  it  has  a  real-time  alerting 
capability. 

MySQL  is  a  multiuser, 
multithreaded  SQL  database 
server  that  comes  bundled 
with  Fedora. 

PHP,  a  widely  used  general- 
purpose  scripting  language 
that’s  well  suited  for  Web 
development,  and  Apache 
Web  server  software  (utilizing 
SSL  —  Secure  Sockets  Layer 
—  for  security)  are  available 
with  Fedora  Core  3. 

BASE,  for  Basic  Analysis 


and  Security  Engine,  is  based 
on  the  Analysis  Console  for 
Intrusion  Databases  (ACID) 
project  code  and  is  now  rec¬ 
ommended  as  a  replacement 
for  ACID.  This  application 
provides  a  Web  front  end  to 
query  and  analyze  the  alerts 
coming  from  the  Snort  IDS 
system. 

Once  I  decided  on  the  soft¬ 
ware,  I  had  to  find  hardware 
capable  of  running  it  and  per¬ 
forming  the  network  monitor¬ 
ing  and  analysis.  I  had  to  take 
what  I  could  get,  though.  I 
found  a  Dell  desktop  that 
wasn’t  in  use.  It  had  an  80GB 
hard  drive,  256MB  of  RAM,  a 
Gigabit  Ethernet  network  card 
and  a  1.6-GHz  CPU.  From 
what  I  have  read,  this  should 
be  adequate,  but  there’s  no 
way  of  knowing  until  the  sys¬ 
tem  is  tested  in  real  time. 

I  decided  to  concern  myself 
only  with  intrusion  monitor¬ 
ing  for  headquarters  and  not 
the  branch  offices,  simplifying 
the  number  and  placement  of 
sensors.  I  had  already  request¬ 
ed  that  a  span  (mirrored)  port 
be  configured  on  the  primary 
switch,  and  I  tested  it  using 
Ethereal  packet  analysis  soft¬ 
ware.  I  know  this  isn’t  the  per¬ 
fect  scenario,  but  again,  it’s  a 
start  and  better  than  nothing. 

Before  beginning  the  soft¬ 
ware  installations,  I  looked  for 
a  how-to  guide  (instead  of  my 
usual  approach,  which  in¬ 
volves  installing  software, 
making  mistakes,  reinstalling 
and  so  forth).  The  fellow  who 
wrote  the  guide,  Patrick  Harp¬ 
er,  will  surely  hear  from  me, 
since  he  states  that  his  docu¬ 
ment  is  for  the  “Linux  newbie, 
as  well  the  Snort  newbie.”  I 
will  let  you  know  how  this 
turns  out  in  a  couple  of  weeks, 
and  I  challenge  any  interested 
security  managers  to  do  this 
with  me  —  all  by  yourselves. 
Don’t  let  the  engineers  have 
all  the  fun.  I 

WHAT  dInNI  THINK? 

This  week's  journal  is  written  by  a  real 
security  manager,  “C.J.  Kelly,"  whose 
name  and  employer  have  been  disguised 
for  obvious  reasons.  Contact  her  at 
mscjkelly@yahoo.com,  or  join  the  dis¬ 
cussion  in  our  forum:  QuickLink  a1590 

To  find  a  complete  archive  of  our 
Security  Manager's  Journals,  go  online  to: 

O  computerworld.com/secjoumal 
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DDoS  Protection 
Being  Guaranteed 

Counterpane  Internet  Security 
Inc.  says  that  its  partnership 
with  Prolexic  Technologies  Inc. 
allows  it  to  offer  service-level 
agreements  guaranteeing  pro¬ 
tection  against  multigigabit 
distributed  denial-of-service 
attacks.  Counterpane  has 
added  Prolexic’s  intrusion- 
prevention  services  to  its 
recently  released  Enterprise 
Protection  Suite  2.0. 


New  Tool  for 
Data  Monitoring 

Vericept  Corp.  announced  its 
Vericept  7.1  adaptive  control 
platform,  which  it  says  allows 
administrators  to  make  excep¬ 
tions  to  the  general  monitoring 
rules  and  define  who,  what  and 
when  monitoring  occurs.  It 
also  makes  it  possible  to  moni¬ 
tor  categories  according  to  the 
time  of  day  and  day  of  week 
and  automates  the  routing  of 
events  so  that  captured  data 
can  be  assigned  and  routed  to 
specified  individuals. 


Freeware  Targets 
Web  Site  Security 

NT  Objectives  Inc.  released 
two  freeware  tools.  NTOinsight 
2.0  scans  Web  sites  and  ana¬ 
lyzes  site  content,  architecture 
and  external  interdependen¬ 
cies  so  users  can  visualize  site 
exposure  and  attack  vectors. 
NTOweb  is  a  plug-in  to  NTOin¬ 
sight  that  works  with  the  Nikto 
database  to  detect  over  3,100 
Web  server  vulnerabilities. 


VoIP  Security 
Workshop  in  D.C. 

The  Cyber  Security  Industry 
Alliance  is  hosting  a  workshop 
in  Washington  on  June  1-2  on 
securing  voice-over-IP  instal¬ 
lations.  Topics  include  VoIP  se¬ 
curity  deployment,  VoIP  secu¬ 
rity  requirements  and  1996 
Telecommunications  Act  re¬ 
form.  You  can  register  at 
http://pfkic.com/voip.  The 
workshop  is  free  for  govern¬ 
ment  employees  and  $195  for 
all  others. 


Identity  theft  happens  from  databases.  Traditional  security  solutions  cannot  detect  it.  If  someone 
is  stealing  sensitive  data,  you  won’t  know  until  it’s  far  too  late  to  do  anything  about  it.  Tizor’s  activity 
monitoring  solution  with  Behavioral  Fingerprinting'"  technology  detects  ID  theft  in  real  time.  So  you  can 
see  it  and  stop  it  right  away.  There’s  no  better  way  to  safeguard  your  critical 
information  and  hard-earned  reputation. 

To  learn  more,  go  to  tizor.com/idtheft  or  call  978-823-5168. 


TIZOR 


And  with  it,  your  perspective  on  the  day, 


t  business  as  usual 


Color  imageRUNNER  C3220 


Nothing  helps  you  improve  your  perspective 


on  the  day  quite  like  the  ability  to  do  things 


a  little  better,  a  little  faster,  and  a  little  more 


beautifully.  That’s  why  Canon  has  added  a 


new  addition  to  our  imageRUNNER'®  line.  With 


the  new  Color  imageRUNNER  C3220  and 


imageWARE  Publishing  Manager  Software,  you 


can  create,  publish  and  print  professional-quality 


color  booklets,  brochures  and  manuals.  You  can 


even  scan  and  e-mail  color  documents.  All  in  house 


and  all  from  the  comfort  of  your  desktop.  And  with 


the  Color  imageRUNNER  C3220,  productivity 


increases  while  color  stays  fast  and  affordable 


How’s  that  for  working  the  way  you  need  to? 


www.imagerunner.com  1-800-0  K-C  AN  ON 
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COMING: 

SENSORS 
AND  PIXELS 
EVERYWHERE 

FUTURE  i  Businessesandcustomerswillsharethese 
WATCHS  ears  and  eyes.  BY  LINDA  ROSENCRANCE 


Anatole  Gershman 

TITLE:  Global  director 
of  research 

COMPANY:  Accenture 
Technology  Laboratories, 
the  Chicago-based 
technology  research  and 
development  unit  of 
Accenture  Ltd. 


Gershman  spoke  recently  with  Com- 
puterworld  about  Accenture’s  vision 
for  the  future  of  technology,  which  in¬ 
cludes  interactive  grocery  carts  and 
the  ability  for  your  wardrobe  to  com¬ 
municate  with  stores. 


What  are  the  three  main  trends  that  will 
be  driving  business  applications  over  the 
next  three  to  five  years?  If  you  look 
three  to  five  years  out,  the  underlying 
technology  trends  that . . .  will  contin¬ 
ue  to  drive  innovation  are: 

1.  The  rise  of  intelligent  sensor 
networks. 

2.  The  rise  of  scalable  intelligence 
techniques  —  all  the  techniques  that 
can  analyze  the  data  that  is  coming 
from  all  the  sensors  and  could  lead  to 
useful  business  insight. 

3.  The  rise  of  technology  that  en¬ 
ables  you  to  be  and  act  “there”  from  a 
distance  and  cope  with  lots  of  informa¬ 
tion,  and  it  will  be  driven  by  pixels. 
We’re  going  to  have  very  inexpensive 
pixels  everywhere  —  we  see  it  in  cell 
phones. 

Those  are  technologies  that  enable 
us  to  sense  —  intelligent  sensor  net¬ 
works;  to  think  —  technologies  that 


enable  our  systems  to  think,  which 
is  scalable  intelligence;  and  technol¬ 
ogies  that  enable  us  to  act  on  all  this 
intelligence. 

What  are  the  business  applications  of 
these  trends?  Our  vision  of  the  busi¬ 
ness  implications  of  these  trends  is 
what  we  call  Reality  Online  —  a  con¬ 
nection  between  the  physical  world 
and  the  world  that  is  reflected  in  our 
systems,  so  now  technology  will  en¬ 
able  us  to  connect  to  physical  realities 
and  see  them  in  real  time,  and  for  them 
to  be  reflected  in  our  systems  in  real 
time  so  we  can  act  on  them  in  real 
time.  I  think  Reality  Online  is  going  to 
revolutionize  relationships  between 
customers  and  enterprises. 

How  will  Reality  Online  do  that?  Let’s 
take  an  example  of  shopping  for  gro¬ 
ceries.  Supermarkets  already  collect  a 
lot  of  information  about  their  cus¬ 
tomers,  using  loyalty  cards  and  check¬ 
out  information,  but  they  don’t  do 
much  with  that  information  today.  And 
the  customers  don’t  get  much  benefit 
from  this  information. 

Although  some  supermarkets  are 
already  experimenting  with  smart 
shopping  carts,  they  don’t  do  much 
with  them  except  to  show  customers 
some  advertising  and,  in  some  stores, 
customers  can  use  those  carts  as  self¬ 
checkouts.  A  smart  shopping  cart  is  a 
cart  with  a  little  screen  attached  to  it 
and  with  a  wireless  connection  so 
with  that  cart,  the  supermarkets  can 
actually  communicate  with  a  customer 
in  real  time. 

Accenture  built  a  prototype  . . .  that 
creates  a  model  of  a  particular  cus¬ 


tomer,  say,  Mrs.  Jones,  so  we  can 
create  an  exact  model  of  Mrs.  Jones 
with  her  exact  shopping  habits  — 
what  did  Mrs.  Jones  buy,  when  did 
she  buy  it? 

We  can  use  this  model  to  predict 
exactly  what  Mrs.  Jones  is  likely  to 
need,  or  want,  in  Aisle  3  of  the  super¬ 
market  on  Tuesday  afternoon.  So  with 
the  smart  cart,  we  can  actually  say 
something  intelligent  to  Mrs.  Jones, 
like  reminding  her  about  what  she 
would  buy  in  her  normal  buying  cycle 
in  a  particular  location  of  the  super¬ 
market,  because  shoppers  typically 
forget  to  buy  between  10%  and  12%  of 
what  they  should  be  buying. 

Arid  that’s  real  money  to  the  bottom 
line  of  a  supermarket,  and  that’s  conve¬ 
nience  for  Mrs.  Jones.  This  is  what  we 
call  experiential  technologies,  or  expe¬ 
rience  technologies  —  technologies 
that  enable  us  to  act  right  there  where 
Mrs.  Jones  needs  that  action,  right 
there  in  Aisle  3. 

Can  you  take  that  idea  a  little  further? 

If  we  take  this  a  little  bit  further  into 
the  future,  we  can  imagine  that  a  lot  of 
clothing  that  we  buy  is  going  to  have 
RFID  tags.  You  can  zap  these  tags  out 
of  existence  at  [the  checkout]  counter, 
but  if  you  keep  them  activated,  then 
you  can  access  some  interesting  ser¬ 
vices  through  what  we  call  an  Online 
Wardrobe,  which  uses  sensors,  tagging 
and  tracking  technologies. 

With  the  Online  Wardrobe,  con¬ 
sumers  can  selectively  reveal  the  con¬ 
tents  of  their  wardrobe  to  their  favorite 
merchants.  In  return,  they  receive  per¬ 
sonalized  offerings  and  timely  re¬ 


minders  about  products  of  interest. 
And  since  the  wardrobe  is  in  the  con¬ 
sumers’  homes,  businesses  can  more 
easily  deliver  products  and  services  to 
where  their  customers  live,  rather  than 
having  to  lure  them  to  their  stores  or 
Web  sites  to  make  a  sale. 

Say,  for  example,  you  buy  a  jacket 
and  you  take  it  home,  and  your  closet 
reads  the  tag  and  knows  you  bought  a 
new  jacket,  and  it  can  suggest  what 
goes  with  it  that  you  could  purchase 
from  an  online  store.  The  Online 
Wardrobe  brings  services  to  the  point 
of  need  —  you  can  buy  clothing 
through  a  connected  closet. 

How  will  camera  phones  enhance  the 
relationship  between  businesses  and 
customers?  Today,  people  use  phones 
to  tell  something  to  businesses,  but 
with  the  proliferation  of  camera 
phones,  people  want  to  show  some¬ 
thing  to  businesses.  Say  I  see  a  chair 
I  like.  I  can  take  a  photo  of  it  and  send 
it  to  a  furniture  store  and  ask  if  they 
have  a  chair  like  that. 

Technically,  people  can  take  snap¬ 
shots  today,  and  they  can  e-mail 
snapshots  today,  but  if  customers 
want  to  do  this,  businesses  have  to 
create  media-enabled  call  centers  with 
the  technology  to  handle  that  kind  of 
incoming  media  in  a  scalable  fashion. 
This  will  take  some  time  —  remember, 
it  took  many,  many  years  to  move  from 
simple  telephone  service  to  call  cen¬ 
ters.  I  think  it  will  move  much  faster 
than  that,  but  I  think  it  will  take  some 
time  because  it  requires  a  change  in 
the  way  businesses  think  about  their 
customers.  ©  54120 


I 


When  your  software  provider  is  acquired  twice  in  two  years,  it  makes  you  wonder 
who  is  in  control.  If  you're  a  JD  Edwards  customer,  that's  probably  how  you  feel. 
For  your  business  decisions  you  need  an  innovative  partner  who  is  committed  to 

..  .  y 

the  future  of  your  business  and  puts  you  in  control. 

It's  time  to  turn  to  Lawson  for  full  service  ERP  software  that  will  be  there  when  you 
need  it.  For  more  information  call  1-800-477-1357  or  visit  www.lawson.com/control. 
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Compuware  Ships 
Governance  System 

■  Compuware  Corp.  has  begun 
shipping  Changepoint  10,  an  inte¬ 
grated  IT  governance  and  IT  man¬ 
agement  system.  The  software  is 
designed  to  provide  enhanced 
visibility  across  applications,  IT 
infrastructure  systems  and  proj¬ 
ect  portfolios,  according  to  the 
Detroit-based  company.  New 
functionality  includes  the  ability 
to  identify  applications  that  might 
be  affected  by  systems  being  de¬ 
veloped,  plus  configurable  work- 
flow  capabilities  that  enable  IT 
managers  to  identify  a  project’s 
status.  Prices  for  the  Windows- 
based  product  range  from  $400 
to  $2,000  per  named  user. 


Elemental  Upgrades 
Compliance  System 

■  Elemental  Security  Inc.  in  San 
Mateo,  Calif.,  announced  the  lat¬ 
est  version  of  its  Elemental  Com¬ 
pliance  System.  The  new  version 
offers  increased  platform  cover¬ 
age,  including  agent  support  for 
Windows  2000  desktops,  Win¬ 
dows  2000  and  Windows  2003 
servers,  and  Red  Hat  Enterprise 
Linux  3.0.  It  also  has  a  deeper 
policy  library  that  includes  tem¬ 
plates  for  Sarbanes-Oxley  Act 
compliance  and  additional  Win¬ 
dows  applications,  the  vendor 
said.  New  automated  remediation 
of  host  and  application  configura¬ 
tion  policies,  additional  reports 
and  support  for  Active  Directory 
integration  are  also  included. 
Pricing  starts  at  $100,000. 


Oracle,  Zend  Agree 
On  Integration  Link 

■  Oracle  Corp.  and  Zend  Tech¬ 
nologies  Inc.  in  Cupertino,  Calif., 
announced  new  integration  be¬ 
tween  Oracle's  database  and 
Zend’s  PHP  open-source  scripting 
language  for  developing  Web  ap¬ 
plications.  The  companies  plan  to 
deliver  a  free  download  in  the  third 
quarter  called  Zend  Core  for  Ora¬ 
cle,  which  will  allow  developers 
to  deliver  PHP  applications  that 
are  tightly  integrated  with  Ora¬ 
cle's  database. 


JIAN  ZHEN 


Know  Your  Options 


Technology  products  are  generally 
implemented  either  as  appliances  or  as 
software  applications.  It’s  vital  for  compa¬ 
nies  to  understand  the  differences  in  cost, 
performance,  security,  installation,  main¬ 
tenance  and  support  for  these  two  different  approach¬ 
es  as  they  make  buying  decisions. 


Software  vendors  typi¬ 
cally  offer  customers  only 
the  products  they  sell.  Each 
product  is  often  just  a 
small  piece  of  the  larger 
puzzle  of  implementing  a 
complex  technology  sys¬ 
tem.  The  customer  is  left 
with  the  burden  of  supply¬ 
ing  all  of  the  other  compo¬ 
nents,  such  as  hardware, 
databases  and  storage. 

Each  of  these  components 
can  add  a  significant 
amount  to  the  total  cost. 

In  contrast,  appliance- 
based  systems  usually 
come  as  stand-alone,  dedicated  ma¬ 
chines  that  may  not  require  additional 
hardware  and  software.  They  may, 
however,  have  specialized  ASICs  or 
hardware  built  in,  and  they  may  have 
higher  initial  costs.  And  many  cus¬ 
tomers  may  not  want  extra  hardware 
in  their  data  centers,  and  they  may  be 
able  to  reuse  existing  servers,  databas¬ 
es  and  storage. 

Appliance-based  products  are  de¬ 
signed  for  only  one  standard  platform, 
whereas  software-based  systems  must 
support  hundreds  of  combinations  of 
hardware  and  software. 

Appliances  can  be  implemented 
based  on  the  knowledge  of  the  under¬ 
lying  hardware.  This  gives  the  cus¬ 
tomer  tremendous  leverage  in  the  per¬ 
formance  optimization  process.  Appli¬ 
ance  vendors  typically  provide  only  a 
few  choices  of  hardware  platforms,  but 
if  it  gives  the  customer  the  ability  to 
acquire  high-performance  hardware, 
sometimes  it  is  a  better  way  to  go. 

The  life  expectancy  of  a  default  in¬ 


stallation  of  Linux  — 
meaning  the  time  it  takes 
for  the  host  to  be  compro¬ 
mised  —  is  approximately 
three  days.  For  default  in¬ 
stallations  of  Windows  op¬ 
erating  systems,  it’s  much 
shorter,  usually  minutes. 

For  this  reason,  appli¬ 
ance  vendors  usually  take 
special  precautions  to 
equip  their  products  with 
minimum  configurations 
that  feature  only  essential 
tools  and  utilities.  They 
may  also  harden  the  oper¬ 
ating  system  to  allow  only 
authorized  access. 

In  contrast,  software  is  generally  in¬ 
stalled  on  the  customer’s  own  servers. 
And  the  burden  of  securing  these 
servers  falls  on  the  customer.  Software 
may  be  an  option  for  organizations 
that  have  standardized  security  hard¬ 
ening  policies  and  whose  employees 
have  security  expertise.  For  other  en¬ 
vironments,  an  already  hardened  ap¬ 
pliance  might  be  the  better  choice. 

In  a  complex  technology  acquisi¬ 
tion,  the  installation  and  configuration 
is  often  the  most  time-consuming 
phase  of  the  project.  Appliance-based 
technologies  are  designed  to  spare 
users  the  pain  of  selecting  hardware, 
installing  an  operating  system,  keeping 
patches  up  to  date  and  handling  gener¬ 
al  system  administration  tasks. 

Software  products,  on  the  other 
hand,  require  a  complex  installation 
process  that  includes  these  steps:  ob¬ 
tain  and  qualify  the  server;  ensure  that 
the  server’s  operating  system  is  updat¬ 
ed  to  the  revision  level  supported  by 
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is  a  freelance  writer  in 
the  San  Francisco  Bay 
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the  product;  update  the  server  with  se¬ 
curity  patches;  load  the  software  on 
databases,  the  Web  server  and  the  ap¬ 
plication  server;  and  configure  the  ap¬ 
plications  to  work  with  the  database 
and  back-end  systems.  This  can  take 
weeks,  if  not  months,  to  complete. 

However,  the  road  to  implementa¬ 
tion  of  an  appliance  can  also  be  ex¬ 
tremely  long  if  the  product  comes 
with  a  nonstandard  operating  system 
or  software  that  corporate  security 
policies  do  not  allow. 

With  a  minimum  operating  system 
installation,  appliances  are  usually  not 
threatened  by  security  vulnerabilities. 
The  appliance  vendors  also  pick  up 
the  responsibilities  of  monitoring  and 
identifying  required  patches. 

In  the  case  of  software  purchases, 
the  customers  provide  the  servers  and 
must  monitor  and  identify  any  patches 
that  may  affect  their  environments. 
However,  many  customers  are  already 
doing  that  to  support  the  rest  of  their 
IT  infrastructures. 

Appliances  are  integrated  hardware 
and  software  systems  designed  to 
work  together.  And  appliance  vendors 
are  responsible  for  supporting  every¬ 
thing,  including  the  hardware,  operat¬ 
ing  system  and  application,  providing 
a  single  point  of  contact  when  a  ques¬ 
tion  or  problem  arises. 

With  software,  the  customer  is  left 
with  the  burden  of  determining 
which  hardware  component,  operating 
system  or  application  is  at  fault  when 
a  problem  arises.  This  means  the  cus¬ 
tomer,  not  the  vendor,  must  manage 
the  problem,  which  may  increase  the 
time  it  takes  to  repair  things. 

In  any  product  selection  process, 
you  must  explore  your  choices  in  light 
of  your  current  resources  and  your 
corporate  security  policy.  Those  steps 
will  lead  to  a  much  more  informed  and 
thorough  analysis  of  the  real  cost  of 
buying  a  technology  product.  ©  54476 
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FIND  OUT  when  Computerworid  publishes 
the  results  from  its  19th  Annual  Salary 
Survey  of  IT  professionals! 

How  much  are  other  IT  professionals  with  your  experience  and 
credentials  earning?  With  help  from  you  and  your  IT  colleagues 
across  the  country,  Computerworid  will  answer  that  question 
when  we  deliver  the  results  from  our  19th  Annual  Salary  Survey. 


1 0F  10 

APPLE 

IPOD 

MINIS! 


Please  take  our  survey  now  and  enter  a  drawing  to  win 
one  of  10  Apple  iPod  Minis.  Our  survey  period  closes 
Friday,  June  27, 2005,  at  5  p.m.  Eastern  time. 

Survey  results  and  feature  stories  that  offer  practical  career  advice 
will  be  published  in  the  Oct.  24, 2005,  issue  of  Computerworid. 

It  will  offer  detailed  information  on  average  salaries  and  bonuses, 
broken  out  by  title,  industry  and  region.  You’ll  be  able  to  compare 
your  organization’s  compensation  plans  with  those  of  other 
companies  and  find  the  hottest  areas  of  the  country  for  IT  pay. 

To  take  the  survey,  and  qualify  for  the  drawing,  go  to: 
www.computerworld.com/takesalary2005 
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NOW  IS  THE  TIME  TO 

get  the  power  of  dual-core  processing 
from  the  all-new  Dell  Precision  380 
Workstation  featuring  the  Intel®  Pentium® 
Processor  Extreme  Edition.  Get  the  power 
to  multi-thread  several  tasks  at  once  and 

GET  MORE  OUT  OF  NOW. 


THE  NEW  DELL  PRECISION"  380  WORKSTATION  WITH 
THE  PERFORMANCE  AND  RELIABILITY  OF  THE  INTEL® 
PENTIUM®  PROCESSOR  EXTREME  EDITION. 
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PREMIER  100  SPOTLIGHT 

Raise  the  Bar 

Good  vendor  relationships  —  and 
superior  service  —  don’t  happen  by 
accident.  Here’s  how  our  Premier 
100  leaders  get  their  IT  vendors  to 
notch  up  their  performance.  Page  42 


Career  Watch 

Sherry  Aaholm  of  FedEx 
answers  readers’  questions 
about  jobs  and  careers;  and 
a  new  book  explains  how  to 
hang  on  to  your  company’s 
“deep  smarts.”  Page  48 


OPINION 

Chain  of  Command: 

IT  and  the  CEO 

It’s  critical  for  the  CIO  to  report  to 
the  CEO,  says  former  Ace  Hardware 
CIO  Paul  Ingevaldson.  Here  are 
eight  reasons  why.  Page  50 


Until  recently,  many  CIOs  hadn’t  giv¬ 
en  much  thought  to  succession  plan¬ 
ning,  thanks  largely  to  a  weak  economy 
and  low  staff  turnover. 

“People  were  lulled  into  a  sense  of 
complacency  over  the  last  five  years,  as 
there  hadn’t  been  much  job  movement,” 
says  Bill  Homa,  CIO  at  Hannaford 
Brothers  Co.,  a  Scarborough,  Maine-based  grocer. 

But  that’s  starting  to  change.  The  economy  is  gain¬ 
ing  strength,  and  turnover  is  edging  up.  More  impor¬ 
tant,  many  CIOs  are  recognizing  that  they  need  to 
actively  develop  the  next  generation  of  IT  managers 
and  technical  leaders  as  thousands  of  experienced 
baby  boomer  IT  professionals  near  retirement  age 
and  U.S.  colleges  and  universities  churn  out  fewer 
computer  science  graduates. 

“Ten  years  from  now,  we’re  going  to  be  facing  a  big 
gap”  in  supply  and  demand  for  IT  management  and 
technical  skills,  says  Maria  Schafer,  an  analyst  at 


Senior  management  at  most  U.S.  companies  has 
done  a  poor  job  of  succession  planning  —  not  only 
within  the  IT  ranks  but  throughout  most  corporate  de¬ 
partments  such  as  finance,  customer  service  and  hu¬ 
man  resources,  says  Schafer.  “We  just  don’t  think  in 
long-term  horizons  in  the  U.S.  as  they  do  in  Japan  and 
Germany,”  she  adds. 

Still,  some  forward-thinking  companies,  like  Gener¬ 
al  Electric  Co.,  have  had  succession  management  pro¬ 
grams  for  years.  “We  place  succession  planning  as  an 
integral  part  of  our  leadership  development  process,” 
says  Chris  Perretta,  vice  president  and  CIO  at  GE 
Commercial  Finance  in  Stamford,  Conn. 

Under  a  formal  review  process  that’s  done  for  all 
GE  employees  each  spring,  managers  conduct  an  ex¬ 
ercise  known  internally  as  “Succession  C,”  in  which  a 
rigorous,  written  succession 
plan  is  put  together  for  each 
worker,  says  Perretta. 

GE  Commercial  Finance 
succession  plan  for 
each  of  its  1,200  IT  workers, 
he  adds.  At  the  CIO  level,  Per¬ 
retta  and  other  . executives  are 

Continued  on  page  41 
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Smart  IT  leaders  take  succession  planning  seriously.  By  Thomas  Hoffman 
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constantly  assessing  IT  directors  and  other  potential 
candidates  for  attributes  such  as  curiosity,  business  fo¬ 
cus  and  high  energy  levels.  To  help  develop  its  next 
set  of  IT  and  other  corporate  leaders,  GE  developed 
a  short-term  international  rotation  program  more 
than  10  years  ago  to  move  workers  among  various  ge¬ 
ographic  locations  in  order  to  give  them  “tangible  in¬ 
ternational  experience,"  says  Hank  Zupnick,  CIO  at 
GE  Commercial  Finance  Real  Estate,  a  division  of  GE 
Commercial  Finance,  also  in  Stamford. 

Detroit-based  DTE  Energy'  Co.  launched  a  corpo¬ 
rate  succession-planning  effort  three  years  ago.  The 
program  was  started  following  an  executive  reposi¬ 
tioning  in  the  wake  of  DTE’s  merger  with  MCN  Ener¬ 
gy  Group  Inc:  and  an  early-retirement  program  that 
was  more  popular  than  expected,  says  Lynne  Ellyn, 
senior  vice  president  and  CIO  at  the  diversified 
energy'  company.  As  part  of  the  effort  within  DTE  En¬ 
ergy’s  800-person  IT  department,  Ellyn  and  other  ex¬ 
ecutives  regularly  review  positions  that  are  critical  to 
the  ongoing  operations  of  the  business,  ensuring  that 


there’s  a  “farm  club”  of  talented  IT  professionals  to 
fill  critical  positions  as  needed,  she  says. 

Ellyn  also  has  “a  very  detailed  succession  plan”  for 
her  own  role.  She  has  identified  several  IT  directors 
as  candidates  to  replace  her  —  a  list  that  has  been  re¬ 
viewed  by  DTE  Energy’s  executive  committee  “so 
that  it’s  well  known,”  she  adds. 

Real-World  Testing 

Dan  Demeter,  Korn/Ferry’  International’s  CIO.  looks 
for  ways  to  try  out  his  succession  scenarios.  “When  I 
go  on  vacation,  1  put  different  people  in  charge,”  says 
Demeter,  who  manages  a  60-person  IT  staff  at  the 
Los  Angeles-based  executive  placement  firm. 

At  other  times,  Demeter  distributes  his  responsibili¬ 
ties  among  various  IT  directors  and  grants  executive  au¬ 
thority7  to  one  person.  All  this  helps  ensure  that  his  man¬ 
agement  team  will  be  ready  to  step  in  when  needed. 

For  some  IT  managers,  succession  management 
within  the  IT  organization  isn’t  strictly  a  hierarchical 
exercise.  For  instance,  when  Marriott  International 
Inc,  considers  candidates  for  an  opening  within  its 


Successful  Succession 

Gwen  Walsh,  a  senior  consultant  at  Ouellette  &  Associates  Consulting  Inc.,  offers  these  succession-planning  tips: 


Do 


identify  roles  and  responsibilities  critical  to  attain¬ 
ing  strategic  and  tactical  business  goals. 


define  the  critical  success  factors  and  optimal 
UQ  profile  for  each  position,  including  knowledge, 
experience,  certifications,  competencies  and  skills. 


Do 


determine  whether  there's  a  logical  progression 
path  that  can  be  defined  for  each  target  position. 


Do 


assess  those  currently  in  key  positions,  comparing 
their  profiles  with  desired  profiles  and  noting  gaps. 


Do 


identify  those  who  aren’t  currently  holding 
key  positions  but  who  have  high  potential. 


work  with  high-potential  candidates  to  create 
i U  and  execute  a  professional  development  plan, 
then  track  their  progress  and  results. 


n  create  a  matrix  of  key  positions,  success  factors, 
UQ  profiles,  incumbents  and  heirs  apparent,  including 
strengths,  challenges  and  anticipated  timing  to  reach 
each  desired  profile. 


n  note  key  positions  where  there’s  no  heir  apparent  and 
UQ  determine  your  immediate,  short-term  and  long-term 
strategies  should  that  key  position  become  vacant  tomorrow. 


Do 


be  certain  that  you  have  identified 
your  own  replacement. 


n  make  leadership  succession  planning  a  dynamic 
UO  process.  Leverage  it  as  you  hire  new  talent,  plan 
future  strategies,  look  for  resources  in  emergency  situa¬ 
tions.  and  raise  the  performance  bar. 


limit  your  thinking  to  formal  leadership  positions; 
informal  leaders  may  be  critical  to  your  business. 


limit  your  analysis  to  fit  the  profile  of 
the  person  currently  holding  the  position. 


n  neglect  to  share  the  progression  paths  and  let 
UUII I  each  person  in  your  organization  know  where 
he  fits  into  the  big  picture. 


hesitate  to  grow  your  current  leaders 
to  optimize  today’s  contributions  and  results. 


overlook  a  diamond  in  the  rough. 


miss  the  opportunity  to  find  next-generation 
leaders  within  your  organization 


keep  ali  of  the  information  in  your  head; 
document  it. 


assume  that  the  unexpected  happens 
only  to  other  people. 


limit  your  heir  apparent  to  those  on  your  team. 
Think  outside  the  box;  think  diversity. 


create  the  plan  as  a  one-time  event 
and  allow  it  to  grow  stale  and  outdated. 


1,200-person  information  resources  department,  “we 
look  across  the  organization,  not  necessarily  down 
and  up,”  says  George  Hall,  senior  vice  president  of 
human  resources  for  the  IT  group  at  the  Bethesda. 
Md.-based  hotel  operator.  By  looking  only  vertically 
through  the  organization  for  the  right  person,  he  says, 
“you  may  be  limiting  your  resources  as  to  who  may 
be  the  most  effective  person  to  step  into  that  role.” 

Because  some  technicians  want  to  take  on  leader¬ 
ship  roles  within  their  domains  without  having  to  be¬ 
come  managers,  Marriott  has  put  together  a  leader¬ 
ship  track  and  a  technology  track  for  its  IT  organiza¬ 
tion.  People  in  the  technology  track  can  grow  into  a 
number  of  roles  that  lead  up  to  the  vice  president 
level  in  terms  of  compensation,  says  Hall. 

Like  GE.  Marriott  also  offers  rotational  assign¬ 
ments  for  IT  and  business  workers  alike.  For  exam¬ 
ple,  one  of  its  senior  IT  managers  recently  moved 
into  a  corporate  HR  role  while  a  member  of  the  fi¬ 
nance  department  transferred  to  the  IT  department 
to  work  on  financial  applications,  Hal)  says. 

In  addition  to  rotating  IT  and  business  personnel, 
Hannaford  Brothers'  Homa  says  he  likes  to  place 
people  in  roles  “outside  their  comfort  zones”  to  help 
them  grow  professionally. 

For  instance,  the  person  who  had  been  overseeing  the 
grocer’s  Windows  NT  operating  system  group  wanted 
to  develop  more  manageriai  experience.  So  Homa  re¬ 
cently  placed  him  in  charge  ot  the  company’s  IT  sup 
port  center,  where  he’ll  be  managing  more  personnel 
and  responding  “to  a  lot  more  problems,”  says  Homa. 

Truman  Medical  Centers  Inc.  recently  launched  a 
leadership  pipeline  program  to  identify  people  who 
are  ready  to  move  into  roles  with  greater  responsibil¬ 
ities.  In  addition  to  handling  their  usual  work,  the  II 
people  who  were  selected  have  each  been  paired  with 
an  executive  mentor  and  have  been  asked  to  oversee 
a  strategic  project  that  was  hand-picked  for  them  by 
the  company’s  CEO,  says  CIO  Bill  McQuiston. 

The  Kansas  City,  Mo.-based  health  care  provider 
has  also  established  leadership  programs  to  identify 
“raw  talent”  in  the  organization  and  to  help  existing 
leaders  address  deficits  in  skills  such  as  communica¬ 
tion  or  presentation  that  mighi  keep  them  from 
cracking  the  executive  ranks,  says  McQuiston. 

Harder  Than  It  Looks 

As  essential  as  IT  succession  planning  is,  it’s  also 
fraught  with  challenges.  The  first  concerns  the  de¬ 
mands  of  technology  itself  Eoi  example,  DTE  Energy 
needs  IT  workers  who  have  a  deep  understanding  of  a 
particular  technology,  says  Ellyn.  Bui  that  focus  can 
leave  someone  “inadequately  equipped  to  move  hori¬ 
zontally  or  in  other  areas”  where  interpersonal,  busi¬ 
ness  and  other  soft  skills  are  needed,  she  says. 

Another  challenge  is  retaining  people  who  have 
been  groomed  to  move  ahead  As  companies  invest 
in  training  and  developing,  IT  workers,  they’re  also 
making  them  more  marketable.  One  of  the  biggest 
challenges  that  Marriott  faces  is  low  turnover  at  the 
senior  management  level,  which  can  hinder  emerg¬ 
ing  leaders  from  moving  up  quickly,  says  Hall. 

CIOs  also  have  to  gain  a  better  understanding  of 
what  makes  younger  IT  workers  tick.  In  the  past, 
“when  people  died  off  or  moved  on,  you  advanced,” 
says  McQuiston.  Now,  he  says,  “people  are  looking 
for  a  better  road  map”  for  their  careers.  ©  54219 
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Managing  tech¬ 
nology  vendors 
used  to  be  an 
invisible  job 
that  somehow 
just  got  done. 
But  with  more- 

complex  IT  offerings,  increasingly 
complicated  negotiations  and  the  bud¬ 
getary  imperative  to  get  the  best  deal, 
companies  are  formalizing  the  vendor 
management  function  with  standard 
processes,  centralized  administration 
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help  you 
get  the  best 
performance 


from  your  IT  vendors. 
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and  firm  opinions  as  to  what  does  and 
doesn’t  work. 

The  change  can  be  seen  among 
Computerworld’ s  Premier  100  IT  Lead¬ 
ers,  some  of  whom  agreed  to  share 
best  practices.  Here  are  their  tips  on 
managing  your  hardware,  software  and 
services  vendors. 

1  Remove  IT  from  the 
contract  business. 

“The  last  thing  you  want  is 
IT  negotiating  with  ven¬ 
dors,”  says  David  Rice,  CIO 
at  Siemens  Medical  Solu¬ 
tions  Inc.  in  Malvern,  Pa.  “It 
can  get  very  confusing  and  make  nego¬ 
tiations  unwieldy.” 

Take  the  contract  negotiation  proc¬ 
ess  away  from  IT  and  leave  it  to  the  ex¬ 
perts.  The  rewards:  efficiency,  pur¬ 
chasing  power  and  increasingly  experi¬ 
enced  negotiators. 

Many  companies  have  established 
vendor  management  offices  (VMO)  to 
handle  vendor  relationship  manage¬ 
ment,  negotiations  and  contract  cost 
containment  [QuickLink  52017].  When 
you’ve  got  a  VMO,  IT  has  to  learn  to 
butt  out. 

“When  we’re  working  on  a  deal,  we 
communicate  within  the  organization 
that  only  certain  people  should  be  dis¬ 
cussing  it  with  the  vendor,”  says  Rick 
Omartian,  IT  chief  financial  officer  at 
The  Guardian  Life  Insurance  Company 
of  America  in  New  York,  which  has  es¬ 
tablished  a  VMO.  E-mail  reminders  warn 
IT  workers  not  to  talk  with  any  sales¬ 
person,  lest  an  innocent  remark  reveal 
pricing  details  on  competitive  contracts 
or  internal  deadlines  and  pressures. 

But  not  all  success¬ 
ful  vendor  manage¬ 
ment  happens  through 
a  VMO.  At  Regions  Fi¬ 
nancial  Corp.  in  Birm¬ 
ingham,  Ala.,  each 
vendor  relationship  is 
managed  by  the  IT 
manager  who  most  of¬ 
ten  uses  that  vendor’s  products  or  ser¬ 
vices.  The  procurement  group  heads 
up  negotiations,  however,  while  the  le¬ 
gal  department  handles  the  contracting 
process,  according  to  CIO  John  Dick. 

Aggregate 
purchasing  power. 

Centralizing  contract  ne¬ 
gotiations  can  also  help 
aggregate  technology 
purchases  and  leverage 
your  purchasing  power, 
says  Dick.  Regions  Financial  strives  to 
be  among  its  vendors’  top  10  customers 
in  terms  of  sales  volume,  in  hopes  of 
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maximizing  the  business  relationship 
and  getting  deeper  discounts.  “It’s  real 
important  to  position  your  purchasing 
power  at  the  sweet  spot  of  the  vendor,” 
Dick  says. 

Being  a  key  customer  has  other  po¬ 
tential  rewards,  including  reciprocal 
business,  he  adds.  For  example,  Re¬ 
gions  Financial  encourages  its  top 
technology  providers  to  purchase  its 
banking  services. 

Don’t  get  cozy. 

No  matter  how  strong  the 
relationship  is  between 
your  company  and  your 
vendor,  always  keep  an 
eye  out  for  other  deals. 

A  case  in  point:  Until 
recently,  Guardian  was  using  a  single 
vendor  for  its  telecommunications  ser¬ 
vices.  Then  it  conducted  a  full-blown 
request  for  proposals  and  ended  up 
choosing  two  other  vendors  that  now 
compete  for  its  business,  resulting  in  a 
35%  cost  reduction,  Omartian  says. 
Now,  “all  vendors  have  to  win  our 
business  on  every  deal,”  he  says. 

Guardian  ensures  that  no  relationship 
gets  too  cozy.  “When  we  spend  a  certain 
amount  of  money  with  one  particular 
vendor,  we  need  to  substantiate  why  we 
went  with  that  one  versus  another,”  says 
Shelley  McIntyre,  vice  president  of  busi¬ 
ness  technology  services. 

Finding  a  better  deal  doesn’t  always 
mean  changing  vendors.  Sometimes  it 
just  means  lighting  a 
fire  under  a  partner. 

At  MasterCard  Inter¬ 
national  Inc.,  Jim  Hull, 
vice  president  of  engi¬ 
neering  services, 
checked  out  competi¬ 
tive  offerings  and 
found  that  one  of  his 


current  telecom  vendors  had  over¬ 
priced  a  bid  by  100%.  “We  went  back 
to  our  partner  and  said,  ‘You’re  in  dan¬ 
ger  of  losing  this  business,’  ”  he  says. 
“And  guess  what?  They  matched”  a 
competitor’s  bid. 

Now  MasterCard  takes  pains  to  keep 
everybody  honest.  For  example,  one 
vendor  had  previously  dominated  its 
storage  business,  but  MasterCard  re¬ 
cently  added  a  second  vendor  to  the 
mix.  “Even  though  you  have  a  great  re¬ 
lationship  and  they  have  a  great  prod¬ 
uct,  how  do  you  know  you’re  getting  a 
good  deal?”  Hull  asks. 


4  Benchmark 
the  industry. 

Industry  benchmarking 
is  an  important  tool  for 
getting  a  fair  deal.  Con¬ 
tracts  should  always 
have  benchmarking 
clauses  to  ensure  that  the  service  and 
pricing  you  receive  stays  competitive; 
this  is  particularly  important  in  long¬ 
term  service  contracts,  says  Frank  En- 
fanto,  vice  president  of  health  care  ser¬ 
vices  systems  delivery  at  Blue  Cross 
and  Blue  Shield  of  Massachusetts  Inc. 
in  Boston.  “Ten  years  ago,  things  were 
more  costly  on  a  per-unit  basis  than 
now,”  he  explains.  The  benchmarking 
clause  should  specify  the  review  proc¬ 
ess  and  who  needs  to  be  involved. 

You  can  also  get  pricing  trend  infor¬ 
mation  from  vendors  that  solicit  you 
for  business.  “We  get  an  idea  of  what 
their  pricing  is  and  renegotiate  rates 
[with  current  suppliers]  if  we  see  a 
downward  trend,”  McIntyre  says. 

5  Don’t  beat  up 

the  vendor  on  price. 

There’s  a  caveat  to  all  this 
talk  about  price.  Some¬ 
times,  getting  the  lowest 
price  is  a  harbinger  of  poor 
quality.  Shoot  for  a  mutu¬ 
ally  good  deal.  “This  idea  that  I’m  going 
to  squeeze  the  vendor  to  get  every  cent 
—  that’s  not  good  business,”  Rice  says. 
“If  it’s  too  sweet  a  deal  on  either  side,  it 
comes  back  to  bite  you  later.”  The  rela¬ 
tionship  can  turn  adversarial,  the  sup¬ 
plier  may  become  less  responsive  to  is¬ 
sues  you  raise,  and  quality  can  suffer. 

6  Evaluate,  evaluate, 
evaluate. 

Evaluate  vendor  perfor¬ 
mance  using  standard¬ 
ized  procedures  on  a 
weekly,  monthly,  semi¬ 
annual  or  annual  basis, 
depending  on  the  type  of  relationship. 
Guardian,  for  instance,  uses  12  cate- 


I 


W)rst 

Practices 


IT  vendor  relationships  are 
challenging  in  general,  but  re¬ 
lationships  with  outsourcers 
are  the  most  challenging  of  all. 

According  to  a  white  paper 
by  Technology  &  Business  In¬ 
tegrators,  a  consulting  firm  in 
Ramsey,  N.J.,  there  are  some 
very  wrong  things  to  do  when 
considering  outsourcing  IT 
functions.  Here  are  TBI’s  out¬ 
sourcing  no-nos. 

■  Don’t  rely  on  a  handshake  or 
ignore  your  due  diligence. 

■  Don’t  second-guess  the  deci¬ 
sion  to  outsource.  That  will  un¬ 
dermine  working  relationships. 

■  Don’t  rely  on  a  vendor  for 
business  advice,  strategic  ad¬ 
vice  or  thought  leadership  in 
emerging  technologies,  unless 
that’s  specifically  the  service 
it  is  contracted  to  provide. 

■  Don’t  assume  that  saving  mon¬ 
ey  will  be  the  overriding  benefit. 

■  Don’t  be  complacent  if  you 
notice  significant  personnel 
change  at  the  vendor. 

■  Don’t  outsource  a  problem. 
That  will  just  make  it  an  exter¬ 
nally  sourced  problem. 


gories  to  rate  its  hardware  and  soft¬ 
ware  vendors  semiannually,  including 
presales,  postsales,  cost-effectiveness, 
technology  leadership,  financial 
strength,  cost  savings  and  flexibility. 

Siemens  meets  with  outsourcers 
weekly  to  review  call  volumes,  mean 
response  time  and  other  metrics.  “You 
have  to  bird-dog  it,”  Rice  says. 

Evaluation  metrics  allow  you  to  catch 
problems  early  and  be  open  with  the 
vendor  about  resolving  them.  “I’ve  seen 
people  rant  and  rave  about  poor  service 
and  then  not  follow  through,”  Dick  says. 
“Vendors  need  to  understand  your  will¬ 
ingness  to  escalate  to  the  highest  levels 
in  the  company  and  do  it  rapidly.” 

Continued  on  page  45 
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Dillard’s  department  stores  found  a  real  bargain. 
Xerox  assessed  and  streamlined  their  company-wide  work 
processes  and  printing  needs,  saving  them  $1.6  million. 

There’s  a  new  way  to  look  at  it. 


XEROX. 

xerox.com/learn  1-800-ask-xerox  ext.  learn  |  Technology  |  Document  Management  |  Consulting  Services  | 

©  2005  XEROX  CORPORATION  All  rights  reserved  XEROX*  DocuShare?  DocumentCentre*  and  There's  a  new  way  to  look  at  it*  are  trademarks  of  XEROX  CORPORATION  in  the  United  States  and/or  other  countries. 

Dillard  s  is  a  registered  trademark  of  Dillard  s  Inc. 
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Continued  from  page  43 

7  Apply  peer  pressure. 

Regions  Financial  some¬ 
times  uses  peer  pressure 
to  resolve  vendor  service 
issues.  For  example,  it  had 
a  problem  with  its  older 
ATMs,  which  were 
achieving  only  a  95%  availability  rate 
compared  with  a  98%  industry  aver¬ 
age.  The  ATM  vendor  suggested  that 
Regions  purchase  all  new  ATMs  —  a 
multimillion-dollar  investment.  In¬ 
stead,  after  a  week  of  exceptionally 
long  outages,  Dick  began  monthly 
meetings  with  all  of  the  ATM  service 
and  equipment  providers,  as  well  as 
the  internal  IT  people.  Everyone  was 
required  to  detail  problems,  resolu¬ 
tions,  costs  and  avoidance  measures. 
“There  were  40  people  in  the  room, 
and  we  used  peer  pressure  to  make 
them  accountable  for  their  perfor¬ 
mance,”  Dick  says. 

The  result:  “We  went  from  several 
hundred  extended  outages  to  less  than 
15  a  month,”  he  says.  The  company’s 
1,400  ATMs  now  have  an  availability 
rate  of  98.6%. 

When  MasterCard  recently  encoun¬ 
tered  a  problem  restoring  backup  data, 
it  called  in  its  hardware,  software,  net¬ 
work  and  storage  vendors.  It  turned  out 
that  the  tape  vendor  had  mistakenly 
sold  faulty  drives  to  MasterCard.  “Until 
it  proved  it  could  fix  the  problem,  we 
told  them  we  wouldn’t  buy  any  more 
tape  drives  from  them,”  Hull  says.  Not 
only  did  the  vendor  fix  the  problem, 
but  today  it’s  much  more  focused  on 
meeting  MasterCard’s  needs,  he  says. 

8  Focus  on  security. 

When  Guardian  created 
its  VMO,  it  set  up  stan¬ 
dard  processes  for  its 
contracts,  ensuring  that 
terms  were  consistent 
across  all  relationships. 
When  creating  the  contracts,  the  com¬ 
pany  decided  to  also  nail  down  its  se¬ 
curity  requirements.  It  created  stricter 
intellectual  property  terms,  for  exam¬ 
ple,  and  required  that  contractors  un¬ 
dergo  background  checks  and  that 
contracting  firms  carry  a  certain  level 
of  insurance.  “If  fraud  is  committed  by 
one  of  their  employees,  we  want  to 
know  they  have  insurance  to  cover 
that,”  Omartian  explains. 


A  VENDOR  MANAGEMENT  PRIMER 

To  learn  more  about  managing  vendors,  visit  our  Web 
site  and  read  our  special  report  on  the  topic: 

OQuickLink  52405 

www.computerworld.com 


Develop  a  list  of 
preferred  vendors. 

Regions  Financial  main¬ 
tains  a  strategic  vendor 
management  program 
for  the  dozen  or  so  of  its 
suppliers  that  it  deems 
most  important.  The  criteria  for  that 
designation  include  how  much  money 
Regions  spends  on  the  vendor’s  tech¬ 
nology,  the  strategic  nature  of  the 
products  or  services,  and  the  common¬ 
ality  of  the  companies’  technology  vi¬ 
sions,  according  to 
Dick.  Regions  devel¬ 
ops  special  relation¬ 
ships  with  these  ven¬ 
dors  and  expects  high¬ 
er  delivery  standards, 
shared  technology  in¬ 
vestments  and  recip¬ 
rocal  business. 

Remember,  not  every  vendor  can  be 
—  or  should  be  —  strategic.  You  need 
to  differentiate,  Enfanto  says.  “You  need 
to  understand  what  type  of  relationship 
you  want  —  strategic  or  just  tactical,” 
he  explains.  “In  a  true  partnership, 
there’s  a  lot  of  compromise  on  both 
sides.  You  might  give  up  something  on 
price  but  then  get  [more  in]  services.” 
In  a  strategic  relationship,  he  says,  the 
vendor  “is  really  concentrating  on  you. 
Your  problems  are  their  problems; 
your  successes  are  their  successes.” 


Use  preterms. 

Igj  M  The  last  place 

ill  ■  ■  you  want  to  get 

m  |f  I  bogged  down  in 

'U  M  V  vend°r  manage- 

S|  W  ment  is  during 

contract  review. 

“Once  we  make  the  decision  to  go  with 
a  certain  vendor,  we  don’t  want  to  find 
out  there’s  a  major  [contract]  term  that 
they  won’t  agree  to,”  Omartian  says. 
Guardian  uses  preterm  documents, 
which  outline  contract  terms  in  business 
lingo  rather  than  in  legalese,  and  gives 
them  to  the  handful  of  vendors  that 
make  the  final  cut  during  negotiations. 

The  preterm  phase 
has  already  proved 
useful.  “There  was 
one  time  that  we’d 
narrowed  it  down  to 
three  finalists,  and  we 
couldn’t  get  an 
agreement  from  one 
on  the  preterm,” 
McIntyre  says,  “so  we  actually 
switched  out  a  vendor.”  ©  54221 
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Shelley  McIntyre 


Brandel  is  a  contributing  writer  in  Grand 
Rapids,  Mich.  You  can  contact  her  at 
mary.brandel@comcast.net. 


Dillard’s  department  stores  hire  over  10,000  people  a 
year.  Storing  and  retrieving  application,  training  and 
benefits  packets  had  become  costly.  So  Dillard’s  bought 
into  something  smart:  a  Xerox  Office  Document 
Assessment  (ODA). 

Xerox  examined  their  work  process  across  all 
14  Dillard’s  business  units  and  recommended  key 
improvements. 

First,  all  analog  copiers,  stand-alone  printers 
and  fax  machines  were  replaced  by  Xerox 
DocumentCentre®  multifunction  systems.  Then  Xerox 
DocuShare®  was  installed  on  Dillard’s  network. 

This  cross-platform  document  management  system, 
along  with  Xerox  imaging  software,  digitized  key 
business  processes. 

Now,  instead  of  storing  and  distributing  hard  copy 
documents  with  each  new  hire,  store  managers  go 
online  for  hiring  packets  and  print  forms  on  the  spot. 
No  paper  inventory.  No  outdated  information.  $1.6 
million  saved.  To  see  what  you  can  save,  call  us  or  visit 
our  website. 


xerox.com/learn 

1-800-ASK-XEROX  ext.  LEARN 


XEROX. 


ThinkPad  recommends  Microsoft®  Windows®  XP  Professional 
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LOSE  THE  WIRES. 

AND,  WHILE  YOU’RE  AT  IT, 
LOSE  THE  HACKERS. 


Availability:  All  oilers  subject  to  availability.  Lenovo  reserves  the  right  to  alter  product  offerings  and  specifications  at  any  time,  without  notice.  Lenovo  is  not  responsible  for  photographic  or  typographic  errors.  ‘Pricing:  Prices  do  not  include  fax  or  shipping  and  are  subject  to  change  without  notice.  Reseller 
prices  may  vary.  Warranty:  For  a  copy  of  applicable  product  warranties,  write  to:  Warranty  Information,  P.0.  Box  12195,  RTP,  NC  27709,  Attn:  Dept  JDJA/B203.  Lenovo  makes  no  representation  or  warranty  regarding  third  party  products  or  services.  Footnotes:  (1)  Mobile  Processors:  Power  management  reduces 
processor  speed  when  in  battery  mode.  (2)  Wireless:  based  on  IEEE  802.11a,  802.11b  and  802.1  lg  respectively.  An  adapter  with  lla/b,  llb/g  or  lla/b/g  can  communicate  on  either/any  of  these  listed  formats  respectively:  the  actual  connection  will  be  based  on  the  access  point  to  which  it  connects. 
(3)  Included  software:  may  differ  from  its  retail  version  (if  available),  and  may  not  include  user  manuals  or  all  program  functionality.  License  agreements  may  apply.  (4)  Memory:  For  PCs  without  a  separate  video  card,  memory  supports  both  system  and  video.  Accessible  system  memory  is  up  to  64MB  less 
than  the  amount  stated,  depending  on  video  mode.  (5)  Hard  drive:  GB  =  billion  bytes.  Accessible  capacity  is  less;  up  to  4GB  is  service  partition.  (7)  Thinness:  may  vary  at  certain  points  on  the  system.  (8)  Travel  Weight:  includes  battery  and  optional  travel  betel  instead  of  standard  optical  drive  in  Ultrabay 
bay.  it  applicable:  weight  may  vary  due  to  vendor  components,  manufacturing  process  and  options.  (9)  Internet  access  required;  not  included.  (10)  Embedded  Security  Subsystem:  requires  software  download.  (11)  limited  warranty:  Support  unrelated  to  a  warranty  issue  may  be  subject  to  additional  charges. 


MOBILE 
TECHNOLOGY 


BEST  WIRELESS  DATA  PROTECTION.  ONLY  ON  A  THINKPAD 

Hackers,  beware.  These  ThinkPad®  notebooks  have  Intel®  Centrino" 
Mobile  Technology,  so  users  can  work  wirelessly  with  greater  freedom 
And  their  work  will  be  protected.  Because  select  ThinkPad  notebooks,  like 
the  T42  featured  to  the  right,  offer  security  features  like  an  added  layer  of 
data  protection  —  a  vault-like  combination  of  a  built-in  security  chip  and 


ThinkPad  R51 

Embedded  Security  Subsystem  2.0  - 
Strong  security  as  a  standard  feature 

SYSTEM  FEATURES 

Intel®  Centrino  Mobile  Technology 
Inter  Pentium  M  Processor  725  (1.60GHz) 
Inter  PRO/Wireless 2200BG  (802.1  lb/g)- 

Microsoft®  Windows'1'  XP  Professional 

14.1"  XGA  TFT  Display  (1024x768 

256MB  DDR  SDRAM  .  30GB  Hard  Drive 

THINK  EXPRESS  MODEL 


ThinkPad  T42  with  Integrated 
Fingerprint  Reader 

Embedded  Security  Subsystem  2.0  - 
Strong  security  as  a  standard  feature 

SYSTEM  FEATURES 

Intel"  Centrino"  Mobile  Technology 
Intel'  Pentium'  V  Processor  725  (1.60GHz: 
Intel®  PRO/Wireless  2200BG  (802.1 1  b/g) 

Microsoft*  Windows1  XP  Professional 

256MB  DDR  SDRAM  40GB  Hard  Drive 

Only  1”  thin'  and  4,5-!b.  travel  weight' 


data  encryption  software.  And  we’re  the  only  ones  to  offer  wireless  PCs  with 
this  level  of  security  as  a  standard  feature.  So  users  can  be  wireiess 


$1049* 


(P/N  2883ELU) 


THINK  EXPRESS  MODEL 

$1479  (P'N  2379P 1  LI) 


Without  being  defenseless. 


ThinkPad  Carrying  Case  -  ThinkPad  Women's  Executive  Red 

Leather  Attache  Leather  Tote 


$1 30 


(P/M  73P3600) 


$130 


(P  N  22PS858' 


With  the  Think  Express  Program,  ThinkPad  notebooks  are  preconfigured  with  ydur  business,  and  your  budget,  n  mind 


Contact  your  authorized  reseller. 

To  find  one  near  you,  or  to  buy  direct,  go  to  thinkpad.com/security/m586.  Or  call  1  866-426-0006. 

ThinkPad  is  a  product  of  Lenovo. 


(12)  Systems  with  limited  onsite  service:  are  designed  to  be  repaired  during  the  applicable  warranty  period  primarily  with  customer-replaceable  parts  A  technician  will  only  be  sent  onsite  to  perform  a  repair  it  (a)  remote  telephone  diagnosis  and/or  customer  part  replacement  are  unabie  to  resolve  me  prar.-n 
or  (b)  the  part  is  one  of  the  few  designated  by  Lenovo  for  onsite  replacement  For  a  list  ot  onsite  replaceable  parts,  contact  Lenovo.  Support  unrelated  to  a  warranty  issue  may  be  subiect  to  additional  charges  Trademarks  The  following  are  trademarks  ot  Lenovo  Group  Ltd  ThinkPad.  ThmkCentre  and  •jltraCMi.ect 
Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation.  Intel.  Intel  Inside.  Intel  Inside  logo,  Intel  Centrino.  Intel  Centrino  logo.  Celeron,  Intel  Xeon,  Intel  SpeedStep,  Itanium.  Pentium,  and  Pentium  III  Xeon  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in 
the  United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  ot  other  companies.  ©2005  Lenovo  Group  Ltd.  All  rights  reserved. 

Visit  www.lenovo.com/pc/safecomputing  periodically  (or  the  latest  information  on  safe  and  effective  computing. 
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Hanging  On  to  Your 
Company’s  ‘Deep  Smarts’ 


Does  your  company  have  the  i 
deep  smarts  to  be  competitive?  jj 

In  their  new  book.  Deep  Smarts:  How  to  \ 
Cultivate  and  Transfer  Enduring  Busi-  i 

ness  Wisdom  (Harvard  Business  School  [ 
Press,  2005),  Dorothy  Leonard  and  jj 
Walter  Swap  argue  that  the  most  sue-  # 
cessful  corporations  rely  on  people  who  S 
possess  a  knowledge  that  is  drawn  from  5 
“firsthand  life  experiences”  and  “shaped  jj 
by  beliefs  and  social  forces”  based  pri-  jj 
marily  on  know-how  and  “know-who.”  I 
As  the  book’s  title  suggests,  the  authors’ 
main  concern  is  helping  organizations 
find  ways  to  cultivate  and  transfer  deep  l 


smarts  so  that  knowledge  can  continue 
to  benefit  the  organization  after  its  origi¬ 
nal  possessor  has  moved  on. 

Leonard  and  Swap  say  that  deep 
smarts  can  be  transferred  from  one 
management  generation  to  another,  but 
only  with  a  concerted  effort.  Organiza¬ 
tions  must  select  employees  with  deep 
smarts  and  then  let  them  devote  a  great 
deal  of  their  time  to  coaching  prot6g6s. 
They  use  a  learning  process  that  the  au¬ 
thors  call  “guided  experience,”  which 
includes  practice,  observation,  problem 
solving  and  experimentation. 

-  Jamie  Eckie 
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ASK  A  PREMIER  100  IT  LEADER 

Sherry  A. 
Aaholm 


Q&A 


TITLE: 

Senior  vice 
president, 
express  and 
freight 
solutions 

COMPANY: 

FedEx 

Services, 

Memphis 


V. 


Aaholm  is  this  month’s  guest 
Premier  100  IT  Leader,  an¬ 
swering  questions  about 
landing  a  job  in  IT  and  mak¬ 
ing  the  right  career  move.  If 
you  have  a  question  for  one 
of  our  Premier  100  IT  Lead¬ 
ers,  send  it  to  askaleader® 
computerworld.com  and 
watch  for  this  column  each 
month. 


What  options  does  an  unemployed 
mainframe  programmer/analyst 
with  30  years’  experience  have  to 
regain  employment,  when  out¬ 
sourcing  for  mainframe,  midrange 
and  client/server  is  at  an  all-time 
high?  You  have  two  areas  to  explore. 
First,  there  are  several  large  compa¬ 
nies  that  do  significant  amounts  of  de¬ 
velopment  work  within  their  own  IT 
organizations  and  utilize  offshore  part¬ 
ners  to  help  supplement  development, 
and  there  are  large  companies  that  do 
all  of  their  development  work  in-house. 


Only  in  the  past  few  years  have  com¬ 
panies  once  again  started  hiring  IT  re¬ 
sources  instead  of  holding  head  count 
static.  Researching  those  companies 
that  pursue  this  strategy  might  offer 
employment  options. 

The  second  and  potentially  more 
advantageous  way  to  approach  this  is 
to  take  your  30  years  of  experience 
and  outline  how  you  could  use  it  to 
assist  those  companies  that  use  off¬ 
shore  partners.  One  of  the  challenges 
companies  face  when  using  offshore 
partners  is  having  solid  processes  in 
place  to  manage  the  relationship  and 
make  it  a  win  for  both  the  company 
and  the  partner.  So  leveraging  your 
30  years  to  support  this  is  an  avenue 
to  consider. 


I  have  10  years  of  experience  in 
IT,  with  a  master’s  degree  in  com¬ 
puter  science,  an  executive  MBA 
from  a  top  school  and  certifica¬ 
tions  such  as  PMP,  CISA  and 
CISM.  I  am  currently  working  as  a 
project  manager.  Can  you  offer  a 
suggestion  regarding  a  next  step 
in  my  career  where  I  can  leverage 
all  of  the  above?  Focus  on  how  you 
can  apply  these  skills  to  business 
analysis.  Make  the  link  between  busi¬ 
ness  and  IT,  help  put  technology  in  lay¬ 
man’s  terms  and  define  how  it  can 
help  drive  business  goals.  Focus  on 
how  to  leverage  what  you  have  learned 
in  the  past  10  years  and  how  that  ap¬ 
plies  to  the  industry  you  are  targeting. 
Use  that  to  your  advantage  to  create  a 
laser  focus  on  the  job  you  want.  People 
who  have  the  skills  to  bridge  technol¬ 
ogy  and  business  aren’t  necessarily 
common,  and  they  add  significant  val¬ 
ue  to  a  company.  ©  53927 


Barriers  in  the  Workforce 

In  a  first-quarter  survey  of  168  human  resource  executives  and  users  of  “enter¬ 
prise  talent  management”  systems,  Boston-based  Aberdeen  Group  Inc.  identified  the 
following  as  the  top  concerns  and  challenges  that  companies  face  in  creating  a  high- 
performing  workforce: 


■  Internal  workforce  career  development, 
succession  planning  and  mobility 


■  Insufficient  talent  in  market 


Inability  to  predict  or  plan  future  workforce 


■  Inconsistency  in  hiring  practices 


■  Inefficiencies  in  the  hiring  process 


Inability  to  compete  for  top  talent 


Good  News,  Bad  News  About  CIOs 


In  a  survey  of  496 
senior  executives 
around  the  world  that 
asked  which  of  various 
“emerging”  C-level  titles 
will  be  the  most  powerful 
this  year,  CIO  came  in  sec¬ 
ond,  behind  chief  marketing 
officer.  What’s  most  intrigu¬ 
ing  about  this  may  be  the 
fact  that  CIO  and  CTO  were 
included  on  the  list  of 
emerging  titles.  Maybe 
in  another  10  years  or  so . . . 
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Chief  marketing  officer 

38% 

Chief  information  officer 

28% 

Chief  technology  officer 

26% 

Chief  knowledge  officer 

25% 

Chief  restructuring  officer 

24% 

Chief  talent  officer 

23% 

Chief  creative  officer 

12% 

Other 

k _ 

8% 

SOURCE:  ASSOCIATION  OF  EXECUTIVE  SEARCH  CONSULTANTS.  JANUARY/FEBRUARY  2005 
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detailed  information  on  IT  pay  and  benefits  for  woi 


Your  participation  is  welcome  and  helps  ensure  t 
be  as  complete  as  possible.  Just  go  to  www.c 
salary2005\  the  survey  takes  less  than  15  r 
:ch  for  the  results  in  the  Oct.  24  i: 
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IT  MANAGEMENT 

SUMMIT 

BUSINESS 

INTELLI6ENCE 

Looking  to  better  understand  enterprise 
analytics?  Apply  to  attend  Computerworld’s 
complimentary*  half-day  IT  Management 
Summit:  Beyond  Business  Intelligence. 

Enterprise  analytics  enable  companies  to 
make  timely  fact-based  decisions  using 
critical  information  from  across  the  entire 
organization.  By  fully  leveraging  data, 
technology,  skills  and  processes,  successful 
users  of  enterprise  analytics  go  beyond 
simply  understanding  the  past,  to  predicting 
outcomes  that  improve  overall  corporate 
performance. 

These  summits  will  feature  the  latest  insights 
of  business  intelligence  industry  experts  and 
will  give  you  first-hand  information  on  the 
innovations  and  experiences  of  companies 
successfully  deploying  enterprise  analytics. 

*  Complimentary  registration  is  restricted  to 
qualified  IT  managers  only. 
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Attend  “Beyond 
Business  Intelligence” 


Using  Enterprise  Analytics  to  Drive  Fact-Based  Decisions 

A  complimentary*  morning-long  IT  Management  Summit 
in  the  following  cities: 

June  21,  2005  •  8:15am  to  Noon  •  Dallas,  Texas 

Renaissance  Dallas  Hotel  •  2222  Stemmons  Freeway  •  Dallas,  TX 

June  28,  2005  •  8:15am  to  Noon  •  Boston,  Massachusetts 

Boston  Marriott  Newton  •  2345  Commonwealth  Avenue  •  Newton,  MA 

July  12,  2005  •  8:15am  to  Noon  •  Washington,  D.C. 

Bethesda  North  Marriott  Hotel  •  5701  Marinelli  Road  •  North  Bethesda,  MD 

July  26,  2005  •  8:15am  to  Noon  •  Chicago,  Illinois 

The  Four  Seasons  Chicago  •  120  East  Delaware  Street  •  Chicago,  IL 

August  9,  2005  •  8:15am  to  Noon  •  New  York,  New  York 

New  York  Marriott  Financial  Center  •  85  West  Street  •  New  York,  NY 

September  20,  2005  •  8:15am  to  Noon  •  San  Francisco,  California 

Pan  Pacific  San  Francisco  Hotel  •  500  Post  Street,  Union  Square  ■  San  Francisco,  CA 


Agenda  Highlights 

•  Industry  Update  from  a  Senior  Computerworld  Editor 

•  Industry  Analyst  Perspectives 

•  Customer  Case  Studies  Showcasing  Recognized  IT  Leaders’  Experiences 

•  Panel  Discussion  on  “Best  Practices”  and  Enterprise  Applications 

•  Peer-to-Peer  Networking 


See  the  agenda  and  details  for  each  event,  and  register  online  at: 

www.itmanagementsummit.com 

Or  contact  Chris  Leger  at  888-299-0155 
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IT  MANAGEMENT 

SUMMIT 

BUSINESS 

INTELLI6ENCE 

Looking  to  better  understand  enterprise 
analytics?  Apply  to  attend  Computerworld’s 
complimentary*  half-day  IT  Management 
Summit:  Beyond  Business  Intelligence. 

Enterprise  analytics  enable  companies  to 
make  timely  fact-based  decisions  using 
critical  information  from  across  the  entire 
organization.  By  fully  leveraging  data, 
technology,  skills  and  processes,  successful 
users  of  enterprise  analytics  go  beyond 
simply  understanding  the  past,  to  predicting 
outcomes  that  improve  overall  corporate 
performance. 

These  summits  will  feature  the  latest  insights 
of  business  intelligence  industry  experts  and 
will  give  you  first-hand  information  on  the 
innovations  and  experiences  of  companies 
successfully  deploying  enterprise  analytics. 

*  Complimentary  registration  is  restricted  to 
qualified  IT  managers  only. 


V.  i 


Exclusively  sponsored  by 


SAS  and  all  other  SAS  Institute  Inc.  product  or  service  names  are  registered  trademarks 
or  trademarks  of  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA 
registration.  Other  brand  and  product  names  are  trademarks  of  their  respective  compa 
mes.  Intel  and  the  Intel  logo  are  trademarks  or  registered  trademarks  of  Intel 
Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries. 


J 


58  COMPUTERWORLD  May  23, 2005 


MANAGEMENT 


www.computerworld.com 


Outsourcing 

How  involved  are  the  lines  of 
business  (outside  of  IT)  in  setting 
your  company’s  IT  services  initia¬ 
tives  and  deciding  which  to  fund? 


INFRASTRUCTURE 

OUTSOURCING 


BUSINESS  PROCESS 
OUTSOURCING 


OFFSHORE  IT  SERVICES 


23% 


10% 


20% 


1 4% 


■  Not  involved 

■  Somewhat  involved 

■  More  involved 

■  Very  involved 

■  Don’t  know 


Which  statement  best 
describes  your  interest  in . . . 

■  Infrastructure  outsourcing 

■  Applications  outsourcing 

No  current  interest 

40% 


Currently  investigating 
24% 

24% 

Currently  have  a  pilot  project 


Base:  t15  IT  decision-makers  at  North  American  compa¬ 
nies.  (Totals  may  not  equal  100%  because  of  rounding.) 

SOURCE  FORRESTER  RESEARCH  INC 
CAMBRIDGE.  MASS  .  APRIL  2005 


PAUL  M.  INGEVALDSON 


Chain  of  Command: 
IT  and  the  CEO 


FOR  many  years,  IT  has  been  trying  to 
make  the  case  that  the  CIO  should  report 
directly  to  the  CEO.  But  surveys  show  that 
only  about  40%  of  CIOs  do  so,  and  the  pro¬ 
portion  that  report  to  the  CFO  is  on  the  rise. 
I  contend  that  this  is  happening  because  IT  has  failed 
to  make  the  case  for  the  importance  of  the  direct  re¬ 
porting  relationship.  Here  are  eight  reasons  why  the 
CIO  should  report  to  the  CEO. 


1.  Today,  most  companies 
strategically  differentiate 
themselves  from  their  com¬ 
petitors  through  the  use  of 
IT  systems.  Since  the  CEO 
is  the  company’s  chief 
strategist,  he  must  oversee 
and  direct  IT  to  ensure  that 
it’s  involved  in  the  most 
strategic  issues  on  the  table. 

2.  If  IT  reports  to  anyone 
other  than  the  CEO,  the 
technology  agenda  will  be 
influenced  by  the  objectives 
of  that  particular  executive. 

It’s  imperative  that  IT  develop  the  most 
critical  business  applications,  not  the 
ones  favored  by  one  senior  executive. 

3.  Since  strategic  IT  projects  can 
have  so  much  of  an  impact  on  the  fu¬ 
ture  of  the  company,  it’s  essential  that 
the  CEO  develop  a  working  knowledge 
of  the  process  of  project  creation.  Lack 
of  IT  expertise  is  no  excuse  to  dele¬ 
gate  this.  The  CEO  must  immerse  him¬ 
self  in  this  process  to  be  sure  that  the 
company’s  strategy  is  being  properly 
addressed. 

4.  Although  the  CFO’s  area  of  exper¬ 
tise  may  appear  to  be  the  most  com¬ 
patible  with  technology,  I  would  argue 
that  the  CIO  and  CFO  positions  are 
polar  opposites. 

The  CFO,  by  definition,  is  a  risk- 
averse  executive  whose  major  respon¬ 


sibility  is  to  protect  the 
financial  well-being  of  the 
company.  His  role  is  to 
question  all  major  expen¬ 
ditures  and  assure  that  the 
proper  controls  are  in 
place  to  maximize  returns 
on  investments.  In  pub¬ 
licly  held  companies  in 
particular,  the  CFO’s  view¬ 
point  is  decidedly  short 
term. 

The  CIO  must  be  a  risk 
taker.  Every  strategic  sys¬ 
tem  development  project 
is  risky,  since  it  has  never  been  done 
before  in  the  company  and  will  have  a 
long-term  impact.  It’s  extremely  diffi¬ 
cult  to  predict  costs  and  time  frames, 
especially  since  the  user  department 
probably  doesn’t  fully  understand 
what  it  needs.  And  since  most  signifi¬ 
cant  system  developments  span  multi¬ 
ple  years,  the  CIO  must  be  more  fu¬ 
ture-oriented  than  the  CFO.  He  needs 
a  long-term  vision  of  the  future  bene¬ 
fits  of  new  development. 

Under  a  CFO,  IT  would  operate 
more  conservatively.  Is  a  conservative 
IT  department  the  weapon  your  com¬ 
pany  needs  to  confront  the  intense 
competitive  environment? 

5.  The  costs  of  IT  continue  to  rise  as 
departments  across  the  company  re¬ 
quest  more  from  it.  Ironically,  it’s  IT 
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raul  m.  ingevaldson  re¬ 
tired  as  CIO  at  Ace  Hard¬ 
ware  Corp.  in  2004  after 
40  years  in  the  IT  busi¬ 
ness.  Contact  him  at 
ingepi@aol.com. 

that  must  defend  its  rising  budgets.  If 
the  CIO  doesn’t  report  to  the  CEO,  the 
CEO  won’t  understand  that  the  IT 
budget  is  an  investment  in  each  de¬ 
partment  within  the  company. 

6.  If  IT  is  indeed  the  strategic  engine 
of  the  business,  all  parts  of  the  compa¬ 
ny  must  be  involved  in  setting  its  pri¬ 
orities.  If  IT  reports  to  the  CEO,  all  the 
other  C-level  executives  will  under¬ 
stand  that. 

7.  The  annual  capital  expense  for 
IT  is  often  the  largest  in  the  company. 
It’s  essential  that  the  CEO  understand 
how  this  IT  capital  compares  to  re¬ 
quests  from  other  departments.  The 
CIO  needs  to  be  on  equal  footing  with 
other  C-level  executives  as  they  pre¬ 
sent  their  requirements  to  the  CEO. 

8.  The  IT  environment  is  a  minefield 
of  escalating  costs,  technological  set¬ 
backs,  inflated  expectations,  shortages 
of  time  and  resources,  and  pressure  to 
gain  competitive  advantage.  These  dif¬ 
ficulties  are  exacerbated  by  the  limited 
IT  knowledge  of  most  people  in  the 
business  and  the  fact  that  the  average 
CIO  tenure  is  18  to  36  months.  If  a 
company  wants  to  maintain  some 
sense  of  continuity  within  its  IT  ranks, 
it’s  critical  that  the  CIO  be  a  major 
“cabinet”  member  and  have  the  ear  of 
the  CEO.  Otherwise,  the  CIO  will  al¬ 
ways  be  a  convenient  scapegoat  when 
times  get  tough. 

It’s  essential  that  the  CIO  report  to 
the  CEO.  One  of  the  most  common  im¬ 
pediments  to  this  happening,  however, 
is  the  CIO’s  inability  to  speak  the  lan¬ 
guage  of  business.  When  we  become 
more  business-oriented  and  give  up  *’ 
geekspeak,  the  CEO  will  find  our 
meetings  worthwhile  and  will  antici¬ 
pate  rather  than  dread  them.  ©  54216 
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Learn  Proven,  Top-Down 
Strategies  to  Achieve 
Enterprise  Mobile  and  Wireless  Success 
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Satyam  Computer  Services, 
Ltd.,  a  global  IT  co.  w/U.S. 
offices  in  Vienna,  VA, 
Parsippany.  NJ,  Santa  Clara, 
CA,  Chicago,  IL,  &  Atlanta,  GA 
seeks  comp,  professionals  &  IT 
Bus.  Dev/Mktng  Mgrs.  for  our  IT 
Comp.  Proff.  position,  we're 
seeking  Prog/Analysts,  Data¬ 
base  Administrators,  Network 
Eng.,  Sys.  Analysts,  Bus.  Sys. 
Analysts,  Qual.  Eng,  Sftwre  Eng. 
&  Proj.  Mgrs.  These  tech,  posi¬ 
tions  require  a  BS  degree  or 
higher  in  a  related  field  and/or 
relev.  industry  exp.  For  our  IT 
Bus.  Dev/Mktng.  Mgrs.  to  man¬ 
age  all  aspects  of  sales/bus. 
devp.  for  many  of  the  co's 
domain  industries  including 
Banking  &  Finance,  Automotive, 
Manufacturing,  Transport/ 
Logistics,  Retail,  Insurance,  to 
name  a  few.  Exp.  in  IT  Services, 
offshoring,  prgrm,  mgmnt,  indus¬ 
try  domain  expertise  &  six  sigma 
processes.  Our  Business  Dev¬ 
elopment/Marketing  Manager 
positions  require  a  master's 
degree  in  MIS,  engineering  or 
business  administration/market¬ 
ing  &  experience  in  related  posi¬ 
tions  such  as  Technical 
Marketing  Manager  or  Sales/IT 
Manager.  Candidates  w/relev. 
BS  degree  considered,  depend¬ 
ing  on  exp.  levels.  All  positions 
subject  to  relocation  to  various 
offices  &  client  sites  throughout 
the  US.  Qualified  applicants 
respond  by  mail  to:  Satyam 
Computer  Services,  Ltd.,  Attn: 
HR-051505,  8500  Leesburg 
Pike,  Suite  201,  Vienna,  VA 
22182,  or  by  email  to 
resumeus@satyam.com  Ref 
Job  Code#051505. 


SR.  VISUAL  BASIC.NET 
CONSULTANT 

Analyze  &  evaluate  existing  or 
proposed  software  sys.  Dvlp, 
implmnt  &  improve  progs,  sys.  & 
related  procedures  to  process 
data  using  in-depth  knowledge 
of  software  dvlpmnt  life  cycle. 
Encode,  test,  debug  &  install 
operating  progs  &  other  sys. 
software  utilizing  advanced 
knowledge  of  Visual  Basic.NET 
prog,  tools.  Bach,  degree  in 
Comp.  Sci.,  Math,  Engnrg  or 
Business  +  2  yrs  exp.  in  position 
offered  or  as  a  Software  Engnr, 
Sys.  Analyst  or  Sr  Programmer 
reqd.  Exp.  must  include:  (a) 
Windows  or  UNIX  operating  sys¬ 
tems,  (b)  Visual  Basic.NET, 
ASP.NET  &  XML  prog,  lan¬ 
guages,  &  (c)  Oracle  or  Sybase 
or  SQL  Server  databases.  High 
mobility  preferred.  40  hrs/wk, 
8am  -  5pm.  Submit  resume  via 
fax  to:  Stacey  Testa,  Dir.,  HR  at 
UBICS,  Inc.  in  Canonsburg,  PA 
at  724-743-4115  and  refer  to 
Job  Code:  VBNET. 


IT  Manager,  NY.  Plan, 
direct,  or  coordinate  activi¬ 
ties  in  electronic  data  pro¬ 
cessing,  information  sys, 
systems  analysis,  and 
comp  programming.  De¬ 
sign,  oversee  design  de¬ 
velopment  &  testing  of 
business  software  applica¬ 
tions.  Mast  deg  w/exp  or 
bach  w/5yrs  exp  in  job  or 
as  team  leader  reqd.  Apply 
HRD,  Systec  International 
Inc,  350,  5th  Avenue,  New 
York,  NY-10118. 


Technical  Director  -  To  provide 
technical  leadership  and  also 
provide  direction  for  company's 
current  assignments  and  future 
road  map.  Experienced  in  suc¬ 
cessfully  managing  projects  in 
areas  like  Application  and  Net¬ 
work  Performance  Engg.,  Cap¬ 
acity  planning  and  OPNET 
Network  and  Application,  Model¬ 
ing/Simulation  and  Business 
Process  Reliability  Engg.  Mas¬ 
ters  Degree  w/exp  or  Bach 
Degree  with  5+  years  exp  in  job 
or  as  Network  Engineer  re¬ 
quired.  Apply  to  HRD,  INNOVI 
Partners,  One  Exchange  Place, 
Suite  1000,  Jersey  City,  NJ 
07302. 


Sr.  Software  Engineer,  per¬ 
manent  position  opening  at 
Avenir  Consulting  in  Houston, 
TX  for  the  analysis,  dsgn, 
dvlpmt,  testing  &  mainte¬ 
nance  of  enterprise  applies 
using  J2EE  Architecture, 
Weblogic,  iplanet,  Javascript, 
Jrisk  &  XML/  XSLT.  Applicants 
must  have  MS/BS  in  Comp 
Sci  or  Engg  w/3-5  yrs.  exp. 
Mail  resume  to  HR,  830  E. 
Higgins  Rd.,  Ste  #  111  -H, 
Schaumburg,  IL  60173,  or 
email  to: 

careers@avenirsoft.com 


Software  Engineer  (Applic¬ 
ations)  utilizing  CAD/CAM 
in  San  Jose.  Travel  w/in  US 
is  req'd  40%  of  the  time. 
Mail  to  Micronic  Laser 
Systems,  Inc.,  1922  Zanker 
Rd.,  San  Jose,  CA  95112  or 
fax  (408)  392-2261. 


Senior  SQA  Analyst 
To  automate  Testing  w / 
TSL+WinRunner  in 
NYC.  MS+3  or  BS  +  5  in 
CS  or  equiv.  Send  CV  to 
Misys  IQ  LLC  at  1180 
6th  Ave,  4th  FI  NY,  NY 
10036  Attn:  HR  Dept 


NovaStor  Corporation,  located 
in  Simi  Valley,  CA,  seeks  a 
Software  Engineer.  The  position 
requires  a  Masters  Degree  in 
Computer  Science  and  knowl¬ 
edge  of  Operations  Analysis, 
Programming  and  Technology 
Design.  Fax  resumes  to  Anita 
Gorino,  HR  Manager  at  805- 
579-6710  or  mail  resumes  to: 
NovaStor  Corporation,  80B 
West  Cochran,  Simi  Valley,  CA- 
90365,  Attn:  Anita  Gorino. 


Network 

Systems  Analyst 

Analyze,  design,  &  test 
network  systems  for  indus¬ 
trial  automatic  applications 
&  data  communications 
systems.  Required:  BS  in 
CS,  yrs  exp.  Send  res  to 
Neteon  Technologies,  Inc. 
28  Kennedy  Blvd.,  Suite 
300,  East  Brunswick,  NJ 
08816  Attn:  Mr.  Hubert  Yu. 


Team  Lead:  Alta  Colleges  seeks 
applicants  for  the  position  of 
Team  Lead  -PeopleSoft  Sys¬ 
tems  Administration  in  Denver, 
CO.  Oversee,  implement  and 
coordinate  all  administration  and 
architecture  regarding  People- 
Soft  Student  Administration, 
CRM  and  Enterprise  Portal 
PeopleSoft  Application  Suites. 
Requirements  include  master's 
degree  or  equivalent  (bachelor's 
degree  plus  five  years  progres¬ 
sive  experience)  in  computer 
science,  computer  applications 
or  related  field  and  2  yrs  exp  as 
a  PeopleSoft  Administrator. 
Additional  requirements  include 
working  knowledge  of  database 
server,  application  server  and 
web  server  tuning  and  working 
knowledge  of  establishing  and 
implementing  PeopleSoft  Sys¬ 
tem  Administration  policies. 
Respond  by  resume  to  Michael 
Berrier,  Alta  Colleges,  2000  S. 
Colorado  Blvd.,  #2-800,  Denver, 
CO  80129.  Refer  to  Job  #1SE 


GOLD'S  GYM  seeks  an  exp'd 
Database  Analyst  to  create  & 
maintain  multiple  databases  &  to 
dsgn  &  dvlp  IT  Reports  using 
Crystal  Reports,  Crystal  Reports 
Appln  Srvr,  SQL  Srvr  database 
&  related  tools. 

Responsibilities  also  include: 
Write  complex  stored  proce¬ 
dures,  functions  &  views  in  SQL 
Srvr  database;  Dvlp  &  deploy 
web  based  reporting  capabili¬ 
ties  using  .NET  technologies  & 
dynamic  HTML;  Analyze  &  dsgn 
data  models  using  Erwin  CASE 
tool.  Req  5  yrs  exp  with  excel¬ 
lent  debugging  &  problem  solv¬ 
ing  skills  &  a  good  understand¬ 
ing  of  all  phases  of  Software 
Dvlpmnt  Life  Cycle  &  RDBMS 
concepts.  Apply:  HR,  GOLD'S 
GYM, 2924  Telestar  Ct,  Falls 
Church,  VA .  Fax:  703  207  1680 


Team  Lead:  Alta  Colleges  seeks 
applicants  for  the  position  of 
Team  Lead  -  Conversion  Team 
in  Denver,  CO.  Make  assign¬ 
ments  to  team  members  and 
review  and  coordinate  their 
work.  Provide  direction  and 
technical  support  to  team  mem¬ 
bers.  Prepare  reports  and  make 
presentations  to  company  man¬ 
agement.  Analyze  Legacy 
Systems.  Analyze  requirements 
of  new  ERP  applications. 
Engage  in  data  conversion/ 
migration  of  Legacy  Data  to 
ERP  systems.  Be  responsible 
for  management  of  the  Metadata 
Repository  and  Business 
Process  Mode!  for  converting 
Legacy  Data.  Write  detailed 
design  specifications  for  Data 
Mapping  and  Transformation 
Logic.  Requirements  include  2 
yrs  exp  in  the  job  offered. 
Respond  by  resume  to  Michael 
Berrier,  Alta  Colleges,  2000  S. 
Colorado  Blvd.,  #2-800,  Denver, 
CO  80129.  Refer  to  Job  #  1 JA. 


Software  Engineer  for  Raleigh, 
NC  based  developer  of  software 
products  for  the  retail  industry. 
Requires  four  (4)  years  experi¬ 
ence  with  object  oriented  design 
&  development  of  web-based 
retail  software  applications  for 
the  grocery  and  general  mer¬ 
chandise  industries  including 
conducting  software  require¬ 
ment  analysis,  programming 
enhancements  and  unit  testing 
for  IBM  Supermarket  Application 
(SA),  the  Application  Client/ 
Server  Environment  (ACE) 
application,  and  the  General 
Sales  Application  (GSA)  point- 
of-sale  systems.  Send  resume 
to  H.R.  Department,  Attn:  Peter 
Denhoed,  OpenField  Solutions, 
5510  Six  Forks  Rd„  Ste.  200, 
Raleigh,  NC  27609. 


Sr.  Technical  Application 
Packager  &  Deployment 
Consultant:  MSI  scripting; 
Software  pkg  creation;  Desktop 
builds  &  application  deploy¬ 
ments  utilizing  Microsoft  tech; 
Project  accountability;  Train 
clients.  Reqs.  extensive  Wise 
Package  Studio,  MSI  pkging, 
Windows  NT,  2000  &  XP,  VB 
Script;  Ghost,  SMS.  BS  or  equiv, 
+  5  yrs  exp  +  SMS  &  MSCE. 
Send  CV  to  Matt  Ovanes  @ 
Signature  Consultants,  128 
Tyron  St  #850  Charlotte,  NC 
28202;  Fax  (781)  937-5933. 


SOFTWARE 

ENGINEER 

R’sch,  dsgn,  &  d’lp 
comp.  soft,  using  VB, 
ASP,  &  SQL.  Req’d: 
MS  in  CS,  3  yrs.  exp. 
Resumes:  Kaplan, 
Inc.  888  Seventh 
Avenue,  NY,  NY 
10106.  Attn:  P.  Torres. 


Computers:  Senior  Analyst 
needed:  Citicorp  Credit  Ser¬ 
vices  Inc.  (USA)  currently 
has  an  opportunity  available 
in  the  Hagerstown,  MD  area 
for  qualified  candidate.  Du¬ 
ties  include:  Design,  code, 
test  &  deploy  software  appli¬ 
cations;  Develop  business 
requirements  based  on  cli¬ 
ent  input.  Traveling  beyond 
commuting  distance  re¬ 
quired.  Send  resumes  to: 
Attn:  HR,  14700  Citicorp 
Drive,  Hagerstown,  MD 
21742.  Reference  #104. 


Comp:  IT  Manager,  NY. 
Plan,  direct,  or  coordinate 
activities  in  electronic  data 
processing,  information 
sys,  systems  analysis,  & 
comp  programming.  De¬ 
sign,  oversee  design  de¬ 
velopment  &  testing  of 
business  s/wapplications. 
Mast  deg  w/exp  or  bach 
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PROLEXIC  TECHNOLOGIES  INC . 30 

PROMISSOR  INC . 24 

QUALCOMM  INC . 4 

QUALYS  INC . 21.  22 

RADIANZ . 21 

RED  HAT  INC . 30 

REGIONS  FINANCIAL  CORP. . 42 

RESPIRONICS  INC . 10 

RULESPOWER  INC . 24 

SABRE  HOLDINGS  CORP. . 12 

SAINT  LUKES  HEALTH  SYSTEM . 4 

SAP  AG . 4.10.27 

SARATOGA  INSTITUTE . 43 

SARBANES-OXLEY  GROUP  OF 

AUDITORS  AND  PROFESSIONALS . 5 

SEARS  HOLDINGS  CORP. . 1 

SEARS.  ROEBUCK  AND  CO . 1 

SERVICE  &  SUPPORT 

PROFESSIONALS  ASSOCIATION . 6 

SIEBEL  SYSTEMS  INC . 1 

SIEBEL  SYSTEMS  INC . 14 

SIEMENS  AG . 4 

SIEMENS  MEDICAL  SOLUTIONS  INC.. . .  42 

SIERRA  ATLANTIC  INC . 6 

SKYBOX  SECURITY  INC . 21.  22 

SQUIRE.  SANDERS  & 

DEMPSEY  LLP . 1 

STORAGE  TECHNOLOGY  CORP . 14 

SUMMIT  STRATEGIES  INC . 8 

SUN  MICROSYSTEMS  INC . 4.10.12 

SYMBOL  TECHNOLOGIES  INC . 10 


TECHNOLOGY  & 

BUSINESS  INTEGRATORS . 43 

THE  BANK  OF 

TOKYO-MITSUBISHi  LTD . 12 

THE  BENCHMARKING 

NETWORK  INC . 43 

THE  GUARDIAN  LIFE  INSURANCE 

COMPANY  OF  AMERICA . 42 

TIVOLI  SOFTWARE . 8 

TRAVELOCITY  EUROPE  LTD . 12 

TROWBRIDGE  GROUP . 12 

TRUMAN  MEDICAL  CENTERS  INC . 39 

TRUSTED  COMPUTING  GROUP  INC . 6 

U.S.  DEPARTMENT  OF  JUSTICE . 6 

U.S.  DEPARTMENT  OF 

THE  TREASURY . 10 

U.S.  FOOD  AND 

DRUG  ADMINISTRATION . 5 

U.S.  SECURITIES  AND 
EXCHANGE  COMMISSION . 1.  5.  6. 


UNISYS  CORP. . 

UPSIDE  RESEARCH  INC. 

VERICEPT  CORP. . 

WACHOVIA  CORP . 

WAVE  SYSTEMS  CORP. . 6 

WEB  SERVICES  FEDERATION . 4 

WYSE  TECHNOLOGY  INC . 6 

XCEL  ENERGY  INC . 8' 

XENOS  GROUP  INC . 12 

ZEBRA  TECHNOLOGIES  CORP. . 5 

ZEND  TECHNOLOGIES  INC . 36 
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Sears-CSC 

CSC  argued  in  its  motions 
filed  with  the  Court  of  Ap¬ 
peals  —  from  which  it  unsuc¬ 
cessfully  sought  an  injunction 
to  stop  Sears’  move  to  cancel 
the  contract  for  cause  —  that 
Sears  terminated  the  agree¬ 
ment  “for  convenience  due  to 
change  of  control”  as  a  result 
of  the  retailer’s  merger  with 
Kmart  Holding  Corp.  The 
merger,  which  formed  a  new 
parent  company  called  Sears 
Holdings  Corp.,  was  an¬ 
nounced  in  November  and 
completed  on  March  24. 

If  Sears  and  Kmart  had 
completed  their  merger  and 


canceled  the  contract  by 
March  2,  the  fee  for  a  conve¬ 
nience  termination  would 
have  been  about  $58  million, 

El  Segundo,  Calif.-based  CSC 
said.  It  noted  that  the  fee  in¬ 
creased  to  $96  million  if  the 
termination  notice  came  with¬ 
in  90  days  of  June  1,  the  one- 
year  anniversary  of  the  con¬ 
tract  signing  date. 

According  to  CSC,  during  a 
Feb.  18  conference  call,  Sears’ 
CIO  at  that  time,  Gerald  Kelly 
Jr.,  read  from  a  script,  asking 
CSC  to  cap  the  charges  at 
$58  million  for  a  termination 
for  convenience  initiated  prior 
to  May  31.  “If  CSC  does  not 
choose  this  path,  we  will  be 
forced  to  consider  declaring  a 
material  breach  under  the 


EDS  Sues  State  Over  Contract 


ELECTRONIC  DATA  SYSTEMS 
CORP.  last  week  filed  a  lawsuit 
against  the  North  Carolina  De¬ 
partment  of  Health  and  Human 
Services  alleging  that  the 
agency  improperly  awarded  a 
$171  million  IT  services  contract 
to  another  vendor  in  April  2004. 

The  agency  chose  Affiliated 
Computer  Services  Inc.  (ACS) 
over  EDS  and  Unisys  Corp.  for 
the  five-year  Medicaid  system 
pact.  EDS,  which  had  held  the 
contract  for  the  past  27  years, 
filed  its  lawsuit  in  North  Caroli¬ 
na  Superior  Court  after  losing  a 
string  of  administrative  appeals. 

In  the  lawsuit,  EDS  alleges 
that  the  Health  and  Human 
Services  Department  failed  to 
follow  its  own  procedures  for 
reviewing  and  awarding  the 
contract.  The  vendor  also 
claims  that  state  CIO  George 
Bakolia  last  month  improperly 
rejected  a  summary  judgment 
by  an  administrative  law  judge 
who  had  ruled  in  favor  of  EDS 
in  the  contract  dispute. 

In  addition,  EDS  alleges  that 
the  state  made  procedural  er¬ 
rors  during  the  review  and  ap¬ 
peals  processes.  It  is  asking  the 
court  to  reverse  the  contract 


award  to  Dallas-based  ACS. 

EDS  spokesman  Travis  Ja¬ 
cobsen  said  the  company  is 
challenging  the  award  because 
it  could  set  a  precedent  in  deals 
with  other  states.  The  lawsuit 
“holds  the  state  accountable  to 
its  processes,”  he  said,  adding 
that  EDS  has  won  six  of  six 
similar  Medicaid  contract  re¬ 
newals  in  other  states  over  the 
past  15  months. 

Danny  Lineberry,  a  spokes¬ 
man  for  North  Carolina’s  Office 
of  Information  Technology  Ser¬ 
vices,  said  Bakolia  wouldn’t 
comment  on  the  matter  be¬ 
cause  of  the  pending  litigation. 

A  spokeswoman  for  the  De¬ 
partment  of  Health  and  Human 
Services  also  declined  to  com¬ 
ment  about  the  lawsuit. 

ACS  spokeswoman  Linda 
Graham  said  officials  at  the  EDS 
rival  are  confident  that  it  will  pre¬ 
vail  in  the  legal  battle.  "It  was  a 
fair  procurement,  and  we  have 
been  upheld  all  along,”  she  said. 

The  contract  with  ACS  calls 
for  the  replacement  and  contin¬ 
ued  operation  of  the  North  Car¬ 
olina  Medicaid  Management  In¬ 
formation  System. 

-  Todd  R.  Weiss 


agreement,”  Kelly  was  quoted 
as  saying.  In  its  motions,  CSC 
said  it  “refused  to  submit  itself 
to  Sears’  extortion  tactics.” 

In  documents  filed  in  court 
by  Sears,  though,  the  Hoffman 
Estates,  Ill.-based  retailer  said 
it  had  notified  CSC  of  65  indi¬ 
vidual  breaches  of  the  agree¬ 
ment  since  the  contract  took 
effect.  Sears  claimed  that 
CSC’s  performance  was  “a  dis¬ 
mal  failure  from  the  start”  and 
by  September  had  become  “so 
poor  that  [CSC]  was  forced  to 
summon  a  ‘red  team’  from  its 
corporate  offices  to  assess  its 
deficient  performance.” 

According  to  Sears,  CSC 
graded  itself  as  poor  in  nearly 
every  category  of  contract 
performance,  including  ser¬ 
vice  delivery,  project  planning 
and  tracking,  and  team  organi¬ 
zation  and  strength. 

Sears  said  it  provided  CSC 
with  formal  written  notice  on 
March  18  that  the  IT  services 
firm  had  been  in  material 
breach  of  the  agreement  for 
several  months  and  that  it  ex¬ 
pected  CSC  to  “cure”  the 
breaches  within  30  days. 

Requests  Denied 

Meanwhile,  CSC  claimed  that 
on  the  same  day,  prior  to  re¬ 
ceiving  Sears’  notice,  it  filed 
suit  in  U.S.  District  Court  in 
Chicago  seeking  a  temporary 
restraining  order  and  prelimi¬ 
nary  injunction  to  stop  Sears 
from  terminating  the  contract 
for  cause.  It  also  asked  the 
court  for  a  declaratory  judg¬ 
ment  that  it  had  not  materially 
breached  the  contract. 

Without  ruling  on  the  merits 
of  the  case,  the  district  court 
judge  denied  CSC’s  requests. 

A  representative  for  the  dis¬ 
trict  court  said  last  week  that 
the  records  of  the  case  were 
not  available.  However,  both 
Sears  and  CSC  said  in  their  ap¬ 
peals  court  documents  that  the 
judge  ordered  them  to  begin 
arbitration.  CSC  requested 
emergency  arbitration,  but 
that  was  also  denied,  accord¬ 
ing  to  Sears. 

Sears  and  CSC  declined  to 


[ _ CSC  | _ Sears  ] 


HNo  great  leap  is 
required  to  see 
what  happened 
here.  Sears  was  willing  to  pay 
$58  million  in  fees,  but  not 
the  full  $96  million  it  owed. 
When  CSC  refused  to  cap  the 
fees  and  give  up  the  $38  mil¬ 
lion  to  which  it  was  contrac¬ 
tually  entitled,  Sears  crafted 
a  plan  to  save  itself  all  fees. 


HCSC  did  not  pro¬ 
pose  adding  addi¬ 
tional  resources  or 
making  changes  in  its  existing 
plans  in  order  to  cure  the 
breaches  identified  by  Sears. 
Instead,  CSC’s  response  con¬ 
sisted  of  a  combination  of  de¬ 
nials,  evasions  and  misstate¬ 
ments  of  CSC’s  responsibili¬ 
ties  under  the  agreement. 


—  From  an  emergency  motion  for  —  From  a  legal  memorandum  in 

injunction  pending  an  appeal  fded  opposition  to  CSC’s  emergency 

with  the  U.S.  Court  of  Appeals  for  motion  for  injunction 

the  7th  Circuit  in  Chicago 


comment  on  the  court  cases 
and  arbitration  proceedings 
last  week,  as  did  lawyers  for 
both  companies. 

John  Thomas,  a  technology 
law  partner  at  Squire,  Sanders 
&  Dempsey  LLP  in  Tysons 
Corner,  Va.,  said  he  hasn’t 
seen  many  long-term  out¬ 
sourcing  deals  become  as 
“publicly  messy”  as  the  CSC- 
Sears  one  has.  But  he  noted 
that  the  fees  for  terminating 
contracts  for  convenience  are 
typically  significant  so  ven¬ 
dors  can  recoup  their  heavy 
upfront  expenses. 

“The  process  of  gearing  up, 
bringing  in  people  and  all  the 
work  that  goes  into  the  first 
six  to  12  months  of  an  out¬ 
sourcing  relationship  is  very 
expensive,”  Thomas  said. 

Even  so,  Akiba  Stern,  an  at¬ 
torney  at  Morgan,  Lewis  & 
Bockius  LLP  in  New  York,  said 
it’s  likely  that  CSC  and  Sears 


will  settle  the  case  privately,  as 
parties  involved  in  these  types 
of  disputes  typically  do. 

In  its  SEC  filing,  CSC  said  it 
also  will  “vigorously  pursue 
recovery”  from  Sears  for  the 
investments  and  commit¬ 
ments  that  the  outsourcing 
vendor  made  in  connection 
with  the  contract,  including  its 
spending  on  software,  proper¬ 
ty  and  equipment. 

Despite  their  legal  differ¬ 
ences,  the  two  companies  con¬ 
tinue  to  work  together  on  IT 
matters.  CSC  is  obligated  to 
provide  IT  services  to  Sears  for 
an  unspecified  period  follow¬ 
ing  the  termination,  according 
to  the  retailer’s  SEC  filing. 

The  contract  called  for  CSC 
to  provide  IT  infrastructure 
support  services  for  Sears’ 
desktops,  servers,  Web  site 
systems,  voice  and  data  net¬ 
works,  and  decision-support 
technology.  ©  54534 
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FRANKLY  SPEAKING  ■  FRANK  HAYES 

The  Trust  Buster 


Trust.  THAT’S  the  point  of  the  Sarbanes-Oxley  Act: 
making  sure  investors  can  trust  our  financial  state¬ 
ments.  Of  course,  for  anyone  involved  in  Sarb-Ox 
compliance  projects,  it  feels  more  like  trust  has  been 
hanged,  drawn,  quartered,  electrocuted,  run  over  by  a 
steamroller,  then  stood  up  against  a  wall  and  shot,  just  for  good  mea¬ 
sure.  With  Sarb-Ox,  it  seems  as  if  nobody  in  corporate  America  will 
ever  be  allowed  to  trust  anyone  ever  again. 

So  there  may  not  seem  to  be  much  comfort  in  the  Sarb-Ox  guide¬ 
lines  issued  last  week  by  the  SEC  [QuickLink  54486].  The  agency’s 
staff  now  says  we  can  trust  each  other  —  just  a  little  bit. 


That  means  not  every  single  piece  of  finan¬ 
cial  data  has  to  be  rigorously  controlled  at 
every  step  in  its  life  cycle;  corporate  manage¬ 
ment  is  allowed  to  use  a  little  discretion.  And 
auditors  don’t  have  to  be  grim,  silent  inquisi¬ 
tors;  they’re  allowed  to  tell  management  what’s 
wrong,  explain  why  it’s  wrong  and  even  suggest 
ways  of  fixing  problems. 

It’s  only  a  little  ray  of  trust  in  what’s  become 
a  very  dark  Sarb-Ox  world.  But  right  now,  we 
can  use  all  the  hopeful  signs  we  can  get. 

If  you’re  not  doing  Sarb-Ox  work,  you’re 
probably  wondering  what  the  big  deal  is.  Why 
are  top  management  and  IT  staffers  all  so  bitter 
about  it?  Sure,  it’s  a  huge  project  —  document¬ 
ing  and  testing  all  the  controls  on  financial  in¬ 
formation  and  putting  controls  in  place  where 
they’re  missing.  But  isn’t  that  really  a  lot  like 
Y2k  was  —  a  huge  project  that  won’t  add  value 
at  most  businesses  but  still  has  to  be  done? 

Answer:  No.  With  Y2k,  we  were  saving  the 
world.  With  Sarb-Ox,  we’re  agents  of  the  inqui¬ 
sition.  Y2k  was  a  heroic  sprint  for  an  immov¬ 
able  finish  line.  More  than  a  year  into  our  Sarb- 
Ox  work,  it  feels  like  a  death  march 
that  will  last  forever. 

And  for  what?  Trust.  But  it  seems 
as  if  for  every  drip  of  trust  that  in¬ 
vestors  will  gain,  we  drain  away  gal¬ 
lons.  Users  can  no  longer  be  trust¬ 
ed.  Neither  can  managers,  or  even 
our  own  IT  people.  Every  access  to 
data  has  to  be  logged,  every  spread¬ 
sheet  checked,  every  number 
crunch  verified. 

In  an  uncomplicated,  smoothly 
professional  world,  that  would  be  a 
simple,  one-time  chore.  In  the  very 
messy  real  world  of  business  IT,  it’s 


immensely  complex  and  never-ending.  And  it’s 
overlaid  by  that  “trust  no  one”  ethos.  We’ve  al¬ 
ways  depended  on  trust  to  get  through  crises, 
meltdowns,  glitches  and  ordinary  momentary 
stupidity.  We’ve  trusted  one  another  to  reach  in 
and  fix  the  problems. 

But  now  that’s  forbidden.  No  reaching  in.  No 
out-of-process  fixes.  No  trust.  The  job  of  Sarb- 
Ox  implementors  is  to  institutionalize  paranoia. 
No  wonder  they’re  bitter. 

Worst  of  all,  we  know  it’s  not  our  fault.  IT 
faces  the  lion’s  share  of  Sarb-Ox  “deficiencies” 
because  we’re  in  charge  of  the  data  that  will 
make  up  those  trustworthy  financial  state¬ 
ments.  Our  “deficient”  systems  worked  fine  for 
years.  Now,  because  crooked  executives  at  a 
few  companies  played  fast  and  loose  with  their 
numbers,  we’re  the  ones  who  have  to  rebuild 
trust  we  never  deserved  to  lose. 

That’s  why  those  new  SEC  guidelines  truly 
are  good  news.  They’re  the  first  sign  that  Sarb- 
Ox  won’t  be  an  ever-expanding  spiral  of  para¬ 
noia.  The  focus,  the  SEC  now  sensibly  says, 
should  be  on  the  greatest  risks  of  financial  mis¬ 
statement.  It’s  time  to  start  replac¬ 
ing  endless  inventories  and  mind¬ 
less  checklists  with  informed  man¬ 
agement  judgment  about  where 
those  risks  lie. 

And  in  IT,  we  can  start  to  think 
again  about  the  best  ways  of  pro¬ 
tecting  business  data  integrity  — 
controls  that  are  effective,  not  just 
exhaustive. 

And  then  maybe  we’ll  begin  to 
remember  once  more  that  in¬ 
vestors  want  to  trust  not  just  the 
numbers,  but  also  the  people  be¬ 
hind  them.  ©  54496 


frank  hayes.  Computer- 
world's  senior  news  colum¬ 
nist,  has  covered  IT  for  more 
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frank.hayes@computerwortd.com. 


Remember,  No  Live  Demos! 

Pilot  fish’s  boss  is  demonstrating  the  company's  new 
e-maii  client.  “He  asked  one  user  what  was  his  most 


important  e-mail  and  then  promptly  proceeded  to 
delete  it  to  show  how  it  could  be  salvaged,”  fish  re¬ 
ports.  “In  the  course  of  restoring  it,  he  inadvertently  re¬ 
trieved  about  300  other  deleted  messages  and,  while 
they  were  in  the  process  of  restoring,  tried  to  delete 
them  again.”  In  the  end,  they’re  gone  -  and  so  is  the 
important  e-mail.  User:  "So  now  you’re  going  to  show 
me  how  to  get  that  e-mail  back?” 

Unbooted  .......  questing  that 


To  make  sure 
antivirus  soft¬ 
ware  is  updated. 


SHARK 

TANK* 


she  be  set  up.” 


All  in  a 
Day’s  Work 

At  the  end  of  a  rough 
shift  getting  an  e-mail 


pilot  fish  makes 
the  process  part  of  a 
log-in  script  on  each 
user  machine.  But  when 
a  not-very-new  virus 
infects  a  PC,  fish  gets 
chewed  out  in  public  for 
letting  it  happen.  It’s  not 
until  he  finally  talks  to 
the  user  that  he  realizes 
what  went  wrong. 

“Turns  out  the  user  had 
not  logged  off  and  on  in 
months,  so  she  never  got 
updates,”  fish  groans, 
“The  IT  manager  told  her 
boss,  but  the  boss  still 
blamed  me  for  it.” 

Unclear  on 
The  Concept 

CIO  e-mails  all  employ¬ 
ees  to  tell  them  that 
external  Web  mail  has 
been  deemed  a  security 
risk,  and  it’s  being 
blocked  -  but  the  change 
won’t  affect  sending  or 
receiving  messages 
through  company  e-mail. 
“One  employee  responds 
via  her  company  e-mail 
account  saying  that  she 
didn’t  realize  we  had 
company  e-mail  and 
wanted  to  know  who  she 
should  contact  to  get  her 
set  up,”  sighs  a  pilot  fish 
watching  it  all.  “The  CIO 
forwards  her  e-mail  to 
the  network  team,  re- 


server  working  again, 
stressed-out  sysadmin 
pilot  fish  goes  to  get  a 
haircut.  “My  stylist 
struck  up  some  conver¬ 
sation  to  break  the  ice: 
‘Looks  like  you  had  a 
long  day,’  “  says  fish. 
“Without  giving  it  much 
thought,  I  said,  ‘Yeah, 
my  boss  killed  a  server 
and  I  spent  the  rest  of 
the  day  cleaning  up  the 
mess.’  Her  jaw  dropped. 
It  took  me  a  couple  of 
seconds  to  realize  what 
I  had  said.  I  guess  she 
thought  I  worked  at  a 
restaurant.” 

Key  Issue 

After  vendor  rep  makes 
his  pitch,  he  offers  to 
leave  his  presentation 
with  pilot  fish  on  a  USB 
key  drive.  “Accessing 
the  USB  key  later  re¬ 
veals  several  other  doc¬ 
uments  in  the  Recycle 
Bin  folder  on  the  USB 
key  ”  fish  says,  “includ¬ 
ing  an  internal  corporate 
presentation  complain¬ 
ing  about  the  lack  of  cor¬ 
porate  support  for  the 
solution  he  was  offering 
us.  Who  says  it  pays  to 
recycle?" 


O  SUPPORT  YOUR  LOCAL  SHARK.  Send  me  your 
true  tale  of  IT  life  at  sharky@computerwor1d.com. 
You’ll  snag  a  snappy  Shark  shirt  if  I  use  it.  And  check  out  the 
daily  feed,  browse  the  Sharkives  and  sign  up  for  Shark  Tank 
home  delivery  at  computerworld.com/sharky. 
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You  have  to  print. 

Meanwhile,  your  printer  is  having  a  breakdown. 

(Isn't  it  time  for  a  printer  you  can  rely  on?) 


C'- 


You  can't  afford  not  to  buy  an  HP  printer. 


invent 


HP  Deskjet  6127  Color  Printer 

•  Print  speed:  up  to  20  ppm  black,  13  ppm  color 

•  Resolution:  up  to  4800  x  1 200  dpi  with 
HP  PhotoREt  III 

•  RAM:  16MB 

•  150-sheet  input  capacity  standard 

•  Duty  cycle:  5000  pages  per  month 

•  Built-in  networking 

•  1  -year  limited  warranty 

$7J.Q99  printer 

■/  CDW  433732 


HP  Photosmart  2610  All-in-One 

•  Print  speed:  up  to  30  ppm  laser-quality  black, 
20  ppm  color 

•  Resolution:  up  to  4800  x  1200  dpi  optimized 

•  Direct  photo  printing  with  PictBridge  and 
integrated  memory  card  slots 

•  2.5"  color  image  display 

•  Built-in  networking 

•  1-year  limited  warranty 

printer 

CDW  680789 


MAIL-IN  REBATE 
AVAILABLE 


MAIL  IN  REBATE 
AVAILABLE  WITH 
PC  PURCHASE 


After  20+  years  in  the  business,  HP  printers  and  All-in-Ones  are  the  gold-standard  for  reliability.  In  fact,  PC  Magazine 
awarded  HP  their  Reader's  Choice  Award  for  outstanding  service  and  reliability  for  the  1 3th  straight  year.  And  that's 
just  one  of  the  many  reasons  to  trust  HP  to  save  you  now  and  for  years  to  come.  Get  the  reliability  you  need.  Get  an 
HP  printer  from  CDW. 


Call  your  CDW  account  manager  about  $40  mail-in  manufacturer  rebate;  offer  ends  7/31705.  Call  your  CDW  account  manager  about  $50  mail-in  manufacturer  rebate  when  purchased  with  qualifying  PC;  offer 
ends  6/75/05  Price  reflects  $30  instant  savings;  offer  valid  from  5/VD5  5/31/05.  Offer  subject  to  CDWs  standard  terms  and  conditions  of  sale,  available  at  CDW.com.  ©  2005  CDW  Corporation 


HP  Business  Inkjet  1200d  Printer 

•  Print  speed:  up  to  28  ppm  black,  24  ppm  color 

•  Resolution:  up  to  4800  x  1 200  dpi  optimized 
with  HP  PhotoREt  III 

•  RAM:  32MB 

•  1 50-sheet  input  capacity  standard 

•  Parallel  and  USB  2.0  ports 

•  1-year  limited  warranty 


The  Right  Technology.  Right  Away. 

CDW.com  •  800.399.4CDW 

In  Canada,  call  800.38t.217T;*  CDWxa 

•  *  •  .  ■ .  .'  ■ 


$19999 


PRINTER 


CDW  680806 


INSTANT  SAVINGS 


$169" 


INSTANT  SAVINGS 
BEGINS  531/05 
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DON’T  LET 
SPYWARE 
SABOTAGE  YOUR 
ENTERPRISE. 


The  next  threat  is  no  threat  with  Trend  Micro. 

Expose  and  eradicate  spyware  with  Trend  Micro's  Enterprise-class,  multi-level, 
anti-spyware  solutions.  They're  the  only  solutions  that  block  and  clean  at  the  gateway — 
the  most  effective  point  of  control.  Trend  Micro.  #1  global  leader  at  the  gateway  and 
industry  pioneer.  Whether  it's  a  virus,  worm,  spyware,  or  spam,  we've  got  you  covered. 


For  a  FREE  evaluation  and  IDC  whitepaper,  . 
go  to  www.trendmicro.com/spyware 
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